'Phishing' Scam Uses FDIC as Bait
By Don Oldenburg
Washington Post Staff Writer
Tuesday, February 3, 2004; Page C10

Jim Morris says he was skeptical last week when he received two nearly identical e-mails six minutes apart, both purporting to come from the Federal Deposit Insurance Corp. "This thing was slick enough that I could easily see someone falling for it and really getting taken to the cleaners," says Morris, a savvy computer user who immediately right-clicked the e-mails to access document properties and see who really sent them. Neither came from the FDIC. Morris, co-owner of an environmental consulting firm in Jarrettsville, Md., had found perhaps the boldest "phishing" expedition so far to hit the in-boxes of unsuspecting Americans in search of private financial information. The spam had an authoritative letterhead and tone, and stated that Homeland Security Secretary Tom Ridge had advised the FDIC to suspend deposit insurance on the recipient's bank account due to suspected violations of the USA Patriot Act. To reactivate the insurance, the recipient had to verify personal information, including bank account numbers -- via the link that supposedly connected to the FDIC. The phony site mimicked the real FDIC home page.

Washington resident Margaret Bressette got a similar e-mail -- hers from "U.S. Bank." It said her account had been closed after being "compromised by criminals involved in money laundering, illegal drugs, terrorism" and said her account would be frozen until she "verified her identity" by providing credit card and ATM numbers and PINs. The Web site appeared to be connected with the legitimate U.S. Bancorp Web site. Bressette, a Foreign Service retiree, wasn't fooled by the spam but still felt relieved when her debit card worked at the grocery store. Since the Consummate Consumer reported on unscrupulous phone-callers trying to entice people to divulge private financial information by impersonating credit-card security agents ("Don't Get Hooked by Phishing," Jan. 20), so-called phishing scams have spread rapidly in the bottom-feeder world of spamming. "They are a growing problem to say the least," says FBI spokesman Paul Bresson.

Designed to appear as legitimate e-mails from trusted institutions such as banks, government agencies and online companies, phishing spams and their bogus Web links are a guise for identity-theft crooks. In the recent past, they have used mock-up Web sites to resemble those of PayPal, eBay, Best Buy and Citibank. One even masqueraded as the FBI. "That just goes to show that they're not going to stop at anything," says FDIC spokeswoman Elizabeth Ford. After the FDIC issued a warning last week, 8,000 people who received the bogus e-mail contacted the FDIC hotline and Web site. Of those, 39 had provided their personal information, says FDIC spokeswoman Elizabeth Ford. Marty Lindner of US-CERT (the U.S. Computer Emergency Readiness Team, a new partnership between Homeland Security's National Cyber Security Division and the private sector) says, "There is clearly a market and people who are willing to click on these things and follow through with them." You don't have to fool most of the people to make phishing spams profitable, says Doug Peckover, founder and president of Privacy Inc. "We see one in 100,000 to be profitable," he says, explaining that phishing scammers will spam 5 million e-mail addresses to harvest 50 identities.

"These are two major problems -- spam and identity theft -- that are suddenly being served up in a very dangerous way," says Peckover, whose Dallas-based company last month launched a $39.95-a-year service, My Privacy Policy, that blocks spams and phishing scams. Ford advises consumers who were fooled to contact their banks immediately: "If they gave out their ATM number and PIN, they need to figure out the best approach with their bank . . . such as closing the account," she says. "Our main message is that consumers should never provide personal financial information in response to unsolicited requests, no matter how legitimate they may appear."

WHERE TO GET HELP
If you provided personal information to the bogus FDIC Web site, contact your bank immediately. For more information, contact the FDIC's Call Center at 877-275-3342 or look for updates online at http://www.fdic.gov/*. Report suspect e-mail and phishing spam to the Internet Fraud Complaint Center -- a partnership between the FBI and the National White Collar Crime Center -- at http://www1.ifccfbi.gov/*

Forward suspicious spams to the Federal Trade Commission at uce@ftc.gov. To file a complaint with the FTC online, go to http://www.ftc.gov/; by phone, call 877-FTC-HELP. The FTC's Identity Theft Web site (http://www.ftc.gov/idtheft*) has more information on phishing and how to protect yourself if you've been victimized.

• If you get an email that warns you, with little or no notice, that an account of yours will be shut down unless you reconfirm your billing information, do not reply or click on the link in the email. Instead, contact the company cited in the email using a telephone number or Web site address you know to be genuine.
  
  
• Avoid emailing personal and financial information. Before submitting financial information through a Web site, look for the "lock" icon on the browser's status bar. It signals that your information is secure during transmission.
  
  
• Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.