How to tell friend from fraud when e-mail smells `phishy'

February 03, 2005|By Mike Himowitz

IF YOU'VE ever been hooked, or even tempted by an e-mail that lures you to a phony "phishing" Web site, there's good news and bad news.

The good news is that the phenomenal month-by-month increase in phishing attacks over the past year appeared to taper off as the 2004 holiday shopping season ended, according to the Anti-Phishing Working Group, an association of banks, businesses, law enforcement agencies and other institutions that tracks this particularly insidious brand of Internet fraud.

The bad news: There were still more than 1,700 active phishing sites operating during December, and many were more sophisticated than ever in disguising their attempts to entice you into revealing credit-card and bank account numbers, secure passwords and other critical information.

If you've never seen one of these come-ons, consider yourself lucky. Typically they arrive in your e-mail box with the appearance of a legitimate communication from a bank, retailer or Internet service provider. Often they'll report that there's an issue with your account, and provide a link to a Web page where you can rectify the problem.

The Web page looks real enough -- right down to the corporate logo and a Web address that appears to be legitimate at first glance. But if you take the bait and enter an account number, password or Social Security number, you're in for a world of trouble. On the other side of that Web page is a crook waiting to steal your identity, drain your bank account, run up huge credit card bills and otherwise wreak havoc on your personal and financial life.

Among the scariest are sites that don't require you to enter any information - just visiting the page can trigger an unsecure Web browser into downloading an invisible program known as a keystroke logger. This virulent form of spyware monitors everything you type and sends it back to a crook's computer, bypassing many security programs.

This is yet another good reason to keep your operating system up to date. As I mentioned last week, Microsoft regularly posts security patches that plug many of these security holes, including Service Pack 2 for Windows XP. You can get them at

The best protection against phishing is to ignore e-mail that appears to ask for account information or leads you to a site that requests it. As a rule, financial institutions and retailers don't handle account problems through e-mail. If there is an issue with your account, it will generally show up when you visit the institution's Web site through the front door - by typing the URL into your Web browser and logging on through the home page.

But some businesses do send legitimate messages with special offers and routine requests for e-mail address updates, which can make it difficult to sort out the scammers.

If you want to test your skill at telling friend from fraud in the phishing game, take an online exam offered by MailFrontier, a publisher of anti-spam and anti-phishing software.

It displays images of actual e-mail that purport to come from large companies such as Chase, Paypal, Bank of America, Amazon, eBay, MSN and Earthlink. Your job is to decide whether each one is real or fake (or admit that you can't decide). When you're through, it will report your score, along with a page that analyzes each e-mail and explains why it's phony or legit.

I consider myself pretty good at this kind of thing, but I got only 8 out of 10 right. Luckily, I erred on the side of caution and checked off two frauds that were legitimate e-mail. Which is why it's a good idea to ignore any links in these messages and - if you think there's a real problem - respond by visiting the company's Web site directly or calling its customer help line.

Think you can do better than I did? Take the phishing test yourself at

For help in spotting phishing and reports of the latest attacks, visit And for a Web browser toolbar that tracks and blocks known phishing sites, visit Earthlink, which provides the tool free of charge to all users. It's available at

Second looks

Four years ago I reviewed a startup online lookup service called GuruNet, which turned out to be one of the niftiest information services on the Web.

GuruNet's free downloadable software lurked in the background of Windows, waiting for users to hold down the ALT key and click on a word or phrase anywhere on the screen - in a Web page or word processing document, for example. A second or two later, a Web browser window appeared with a dictionary definition of the word, an encyclopedia article on the topic and other related links.

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.