Phishing Schemes Getting Sneakier

Phishing schemes are getting harder to detect as criminals refine their methods and develop more efficient ways to trick you into giving them your logon information.

Phishing is a scam using emails that look like they're from banks or other businesses and ask a computer user for a bank account number, Social Security number or other personal information.

The scammers -- usually organized crime groups in Eastern Europe, Russia and Africa -- use the information to transfer money out of your account, run up a bill on your credit card or steal your identity. The computer fraud increased 28 percent in the 12 months ending May 2005, according to the Connecticut-based research firm Gartner Inc.

An estimated 73 million adults report they "definitely" received a phishing e-mail, or a message that "looked like one." More than 2 million people lost a total of almost $929 million. The term "phishing" stems from the "phone phreakers" of the 1970s who scammed their way into free long-distance phone calls. Now, the scammers are fishing for information and the name is a nod to their predecessors, says Peter Cassidy, secretary general of the Anti-Phishing Working Group, a nonprofit research and educational organization in Cambridge, Mass.

PayPal, an eBay-owned online system that sends and receives payments, is the No. 1 organization phishers impersonate. The auction giant eBay is No. 2, and Citibank is the primary bank target, followed by other big banks.

Often the scam e-mails alert a person to a problem -- an unauthorized transaction on an account or information that needs to be verified.

According to the Federal Trade Commission, emails often read like this: "We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity." (http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt127.shtm)

The urgency often dupes people into clicking on a link that leads to a Web site that looks exactly like their bank's site, including the company logo and other information. Computer users are asked to fill in the information boxes that look just like the ones banks use.

The impostor sites are gone two weeks later, leaving authorities little to investigate. Clicking the link can download what is called a "key logger" that sits quietly on your computer. It wakes up when you visit a banking site and tracks the keystrokes you type, gathering your user name and password and sending it to the scammer, Cassidy says.

Similar programs can search your hard drive for confidential information and send it back to the scammer.

Programs can also be planted on computers that redirect you to a fake site when you type in the address of the real one. Computer users can also be directed to fake sites when they make a spelling error in a Web address.

And results of searches can be poisoned, with fake sites showing up high on a list when a person searches for an authentic company.

The scammers are hard to catch, says detective Kevin Wiens in the computer crimes unit at the Fresno County Sheriff's Department.

"It's a very difficult investigation to do," Wiens says. "We can take the case...until it goes overseas, and then it ties our hands as to what we can do about it."

Local authorities contact federal agencies, including the FBI, Justice Department and Secret Service, to investigate the crime.

The scam is becoming more sophisticated, with e-mail senders impersonating smaller banks and credit unions. The University of Kentucky Federal Credit Union was the target of a phishing attack this year.

"The criminals are real enterprising folks," says Scott Ingram, Education Employees Credit Union's vice president of marketing. "They're always coming up with something new."

"There's not anything we can do really," says Dan Doyle, president and CEO of Central Valley Community Bank. "It's a matter of trying to help educate our customers, our consumers that these types of things are going on."

Banks must reimburse individuals for money stolen, but they have more discretion with business accounts, Cassidy says.

Although the number of computer users who fall victim to the crime is low, the scam keeps spreading, Cassidy says.

"The phishers still keep at it, which tells me phishers are making enough money to make a go of it."

More Fraud Guides Phishing Information