In the March 29, 2006 edition -
By Tom Regan
If your e-mail smells 'phishy,' hit the delete key.
A record 9,715 phishing sites were reported in January. Most of these
scams involved six well-known brands.
They almost got me. The e-mail from PayPal said that my account had a
problem. To correct some faulty information, I was instructed to click
on a link included in the message. Well, I didn't have a PayPal
account, but I knew my wife did. Perhaps she had given my name or
e-mail address as a backup.
But my spider-sense was tingling, so I decided not to use the link,
but to visit PayPal's website directly. And that's when I saw the
notice about the scam. Someone had been phishing, and I was almost
No, it's not a misspelling. Phishing has become the most pervasive
form of criminal activity on the Internet today. Using a variety of
methods, phishers send out e-mails that look like they are from
legitimate companies or organizations. The messages lead people to
fake websites where they try to collect personal financial
In the 10 years that phishing has existed, it's grown from rather
clumsy operations to much more sophisticated endeavors. Law
enforcement officials believe some are run by organized crime rings
from around the world. According to one recent estimate, computer
users in the US lost more than $929 million to these scams over one
These days the phishers also plant software (known as 'crimeware') on
people's computers that record their keystrokes. The information is then
sent back to scammers. Another trick is to get people to visit the
actual websites of a company, but through a means created by the
phishers which allows them to record your keystrokes.
According to the Anti-Phishing Workgroup http://www.antiphishing.org ,
a record 9,715 phishing sites were reported on the Web in January.
About 80 percent of these scams involved six well-known brands. (One
that I have been receiving recently was a regular stream of e-mails
telling me about problems with my "Chase" account.)
The vast majority of these operations are based in the US, with Korea
and China close behind. And here's a mind-boggling stat: Most of these
sites only last an average of five days. So these folks run the scam,
hook as many people as they can, and then get out of Dodge before the
law can catch them.
Phishing is increasingly becoming a concern to Internet users, says
Joe Laszlo, senior analyst for Jupiter Research in New York. When
consumers were asked recently about what bugged them about the
Internet, 53 percent said spam (no surprise there), but 35 percent
said phishing, Mr. Laszlo notes.
"No matter how Internet savvy you are, all it takes is one time for a
scam to fool you," he says. "And there is no depth to which the
phishers won't sink. They will do anything to trick you."
After hurricane Katrina struck last year, numerous e-mails spoofing
the Red Cross appeared, as phishers tried to take advantage of
people's desire to help people in the Gulf Coast. Recently, these scam
artists have been spoofing the IRS in an attempt to use tax season as
a way to trick people into divulging their personal information.
Software companies and law enforcement agencies are trying to do
something about phishing. Last week, Microsoft announced it was taking
legal action against 100 phishing operations based in Europe, Africa,
and the Middle East. This follows a similar initiative by the company
against 117 suspects in the US.
And in late February, AOL used a new Virginia antiphishing law to go
after 30 phishers working for three international groups.
The increase in phishing is also behind the move by companies like AOL
and Yahoo to offer "certified e-mail," Laszlo says. This type of
e-mail costs a certain amount per message but ensures that the message
comes from the people who sent it. The idea of paying for e-mail of
any kind has raised objections from consumer groups and free-speech
advocates. But it was recently endorsed by the Red Cross, after its
experience with the Katrina scam.
Regardless of whether certified e-mail becomes a reality, you remain
your own best protection against phishing. Beware any e-mail from a
bank, financial company, or even the IRS, which indicates you need to
visit their site to "fix" a problem, or because your "account is about
to expire." Don't act, until you visit the company's website first, or
call it on the phone, to find out if any alerts exist about phishing
scams. Better to take extra time examining the worm on the hook, than
being caught, landed, and gutted by an expert phisher.
http://www.csmonitor.com | Copyright 2006 The Christian Science Publishing
To read the news each day in the Christian Science Monitor and the New
York Times and listen to the top stories via National Public Radio,
please go to: http://telecom-digest.org/td-extra/nytimes.html with no
login nor registration requirements.
[TELECOM Digest Editor's Note: It would have been good if Mr. Regan
had mentioned the origin of the spelling of the term 'phishing'.
Quite a number of years ago, when a small cross section of the public
who were _not_ telephone company employees (which actually is the
vast majority of us, since we are not employed by telco) began to show
an inordinate degree of interest in the workings of telco (unusual if
you are not employed by telco) their 'hobby' or 'interest' earned them
the label of freaks where telco procedures and the instruments were
concerned. Those 'freaks' disliked that word, which is disparaging,
adapted its spelling to what, in their opinion, was a less disparaging
spelling: Since /f/ and /ph/ phoenetically sound the same anyway, the
freaks began spelling it 'phreaks'.
Ditto the word 'fraud' which could be spelled 'phraud'. Basically,
they took words which begin with /f/ and began spelling them with /ph/
instead. Or at least, those words which they felt reflected a more
'positive' spin on things. I do not think the freaks ever did convert
the word 'fraud' since there is very little, if any, positive use of
that word. But I think you get my point.
Then along came the words 'fishing' and 'fish' and 'fisherman'. The
meaning of the words are pretty obvious, especially when used in
connection with a 'stream' which usually refers to a moving body of
water, or as in more recent times, a body of data (such as a newsgroup)
moves along down the stream between one site and another. On the
perhaps erroneous assumption that all phreaks are bad people out to
damage or destroy telco, someone about a decade or so ago decided to
use the same phoenetic spelling on 'fish' and variations that had been
done with 'freak' and variations. I do not think most phreaks (who by
and large consider themselves an educational and positive force in
telecommunications) approve of the same thing being done to 'fish'.
Picture, if you will, a man with a rod and pole sitting on the side of
a smelly old cess pool or septic tank amusing himself by examining all
the rotten stuff pulled out of the water. So 'phishermen' rely largely
on social engineering the way many 'phreaks' used to do to get the
required information needed to make their schemes work. Just as ESS
and more sophisticated telephone switching and billing systems
required that phreaks get more sophisticated in their ways, likewise
the 'phishermen' had to adapt as well. Anyway, to make a short story
long, the obvious misspelling of 'fisherman' and 'fishing' got its
start as a take off on freaks and 'phreaks'. PAT]