Users Find Too Many Phish in the Internet Sea

ou can be whatever you want to be on the Internet - even if you want to be Citibank.

A recent flood of fake Citibank e-mail messages demonstrates the growing arsenal of technical and psychological tricks that online tricksters, called phishers, are using to get people to divulge personal information.

	Advertisement

Hackers first coined the term phishing in the mid-1990's to refer to the art of stealing America Online accounts. But e-mail messages collected by the Anti-Phishing Working Group, an industry association, show that phishers are now going where the money is. In the group's June report, the most recent available, it said it had seen 492 different mass-mailings intended to fool Citibank customers. That compared with 285 aimed at eBay users.

The messages, and the fake Web sites they direct recipients to, are loaded with tricks that in some cases circumvent the tips once given to consumers about how to avoid online fraud. For example, one trick masks the address bar in the Web browser to conceal the true address of the site. And in the last year or so, senders have learned a new technique: proper spelling and grammar.

"It's survival of the fittest," said Jon Oliver, chief messaging security officer at MailFrontier, a maker of spam- and fraud-fighting software. One fake Citibank message managed to impress a specialist in online marketing. "From a marketer's point of view - and I'm pretty brand-conscious - it struck me as being realistic," said Lawrence Hefler, vice president of e-business and strategic alliances at Hilton Grand Vacations and the chairman of the Direct Marketing Association's Internet committee.

"The hot buttons are there," he added. "Clearly people are very conscious of privacy, but because of that consciousness they're aware of the identity theft issue, and that's the first thing they talk about in the e-mail."

A Citibank spokesman listed a number of steps the bank is taking to fight the scams, including educating customers, but he declined to discuss how much damage they had done.

Big Internet companies are trying to plug some of the larger security holes exploited by phishers and spammers - for example, the ease with which the return address on a message can be faked. Microsoft has been trying to win support for a Sender ID system that could spot messages sent from machines that were not authorized to use a domain name like citibank.com in return addresses.

But last Thursday, America Online rejected Microsoft's approach, in part because groups supporting open-source software had objected to using Microsoft-owned technology. AOL said it would adopt a different system.

Such approaches would not stop fraudsters from using fake domain names like citibank-security.com. It may be some time before businesses like Citibank are able to stop the theft of their own identities.

Special Offer: Home Delivery of The Times from $2.90/week.