Phishing is the act of pretending to be a legitimate organization and sending an e-mail to a user to scam the user into surrendering private information that can then be used for identity theft. The e-mail directs the user to visit a bogus website where they are asked to update personal information, such as account passwords and/or credit card, social security, and bank account numbers, all of which the real organization should already have on file. The term phishing was coined in the mid 1990’s by hackers who would pose as AOL staff members and send instant messages to potential victims asking them to reveal their password, commonly using such phrases as “please verify your account” and “confirm your billing information”. Once the victim gave over the password, the attacker would access the victim’s account and use it for criminal purposes and other nefarious acts such as spamming.

eBay was used as the bait for a phishing scam back in November 2003 when e-mail notifications were sent to its customers asking them to update their accounts which required them to provide credit card information, ATM personal identification numbers, Social Security numbers, date of birth and their mothers’ maiden names. Since it is fairly simple to replicate a website by copying and modifying the HTML code, a lot of people thought the e-mails were legitimate and that they were actually being contacted by eBay. Everyone who gave out his or her personal identification became a potential victim of identity theft. Other online organizations such as PayPal, banks like Citibank and Bank of America, Internet service providers such as Yahoo, MSN, and AOL, as well as insurance agencies have all been used by phishers to lure customers into giving away valuable personal information.

Congress passed the Identity Theft and Assumption Deterrence Act in 1998, which made identity theft a federal crime punishable by as many as 15 years in prison. However, this doesn’t seem to have had much of an impact on scammers who have intensified their phishing attacks by using worms and spyware to divert consumers to fraudulent sites without their knowledge. According to several estimates, 57 million people have been subject to phishing attacks comprised of at least 122 well-known brands so far. And according to the Anti-Phishing Working Group, the United States continues to be the top geographic location for hosting phishing sites with more than 32 percent. Other top countries include China (12 percent), Korea (11 percent), Japan (2.8 percent), Germany (2.7 percent), France (2.7 percent), Brazil (2.7 percent), Canada (2.1 percent), and India (2.1 percent).

Microsoft suggests the following five ways to help protect oneself from phishing scams:

  • Never respond to requests for personal information via e-mail or in a pop-up window. If in doubt, call the institution that claims to be the sender of the e-mail or pop-up window.
  • Visit websites by typing the URL into your address bar.
  • Check to make sure the website is using encryption.
  • Routinely review your credit card and bank statements.
  • Report suspected abuses of your personal information to the proper authorities.

As phishing attempts become more and more common, consumers are likely to become increasingly skeptical of e-mail communications from companies with which they hold accounts. Hopefully consumers will continue to utilize and trust e-mail as part of their business relationship with these companies, even though they must remain ever-vigilant of fraud.