Alert
Close

Watch the NASCAR race on Sunday at Martinsville Speedway. Join the Drive to End Hunger!

Highlights

Open

You and Your Town Contest-You could win an AARP RealPad

AARP Auto Buying Program

Contests and
Sweeps

$10,000 Winter Escapes Sweepstakes

Beat the cold and cozy up to a chance of winning $10,000! See official rules.

Driver Safety

Piggy bank on the road - AARP Driver Safety

Take the new AARP Smart Driver Course!

AARP Books

Visit the Money Section

Enjoy titles on retirement, Social Security, and becoming debt-free.

Jobs You Might Like

most popular
articles

Viewed

Gone Phishing: The Internet and Identity Theft

This and Related Reports

Table of Contents:

Phishing Defined

Phishing is a form of Internet fraud that involves sending an email message to an Internet user falsely claiming to represent a legitimate enterprise. This is done in an attempt to trick the user into visiting a fraudulent website and disclosing sensitive personal information that would then be used to commit identity theft. Phishing is a play on the word, "fishing," since the phisher is putting out bait in the hope that at least some people will be enticed to respond to the message.1

The Anti-Phishing Working Group (APWG), an industry-sponsored association, estimates that 75 million to 150 million phishing emails are sent daily.2 Despite the fact that many of these messages are blocked by spam filters and never reach Internet users, it is estimated that a well-designed phishing email campaign can have response rates of up to 5 percent.3

Phishers often choose to target large financial institutions known to have a significant online customer base. This is done with the knowledge that a certain percentage of the email message recipients will be actual customers of the institution and likely to believe that the message is legitimate. Typically, the message attempts to spur the user to act before some adverse consequence occurs, such as having one's account cancelled or blocked.

Also targeted are websites belonging to Internet service providers, retailers, and even government agencies. Chart 1 illustrates the breakdown of industry sectors that were targeted most frequently by phishing attacks during April 2005.

Chart 1. Industry Sector Most Targeted by Phishing Attacks April 2005


Once users have contacted the fraudulent website, they are asked to provide or update personal information, such as credit card or bank account number, account username, password, security code, Social Security number, or other sensitive personal information that is already held by the legitimate organization.

After collecting the information, the phisher will often sell the victim's personal information via the Internet to others who intend to use the information to commit fraud.4 With their personal information compromised, the victim is at risk of a number of possible frauds:

  • The information can be used to access existing financial accounts.
  • The information can be used to apply for credit and open new accounts in the victim's name.
  • The information can be used to hijack the victim's computer and use it as a platform to disseminate phishing and spam email messages to others.

The Increase in Phishing Attacks

Phishing frauds have become increasingly easy to perpetrate, with ready-made phishing toolkits and email address lists available for purchase on the Internet.5 The APWG, which regularly tracks phishing activity trends,6 reports that 14,411 new, unique phishing email messages were reported in the month of April 2005. The number of active phishing (fraudulent) websites reported by the group in April 2005 was 2,854 (Chart 2).

Chart 2. Active Phishing Sites by Month October 2004-April 2005

Typically, the fraudulent websites are only active for a short period. According to the APWG report, the average time a phishing site remained active during April 2005 was 5.8 days. While a total of 68 countries hosted phishing sites in April 2005,7 the United States was the most common geographic location with 26 percent of the active phishing sites being hosted in the United States, followed by China (22 percent), Korea (10 percent), and Japan (3 percent).



Defending Against Phishing

A U.S. Department of Justice special report8 recommends a number of actions Internet users can take to protect themselves against phishing. For example, Internet users should not respond immediately to email messages requiring a quick response without first verifying the legitimacy of the message. Also, Internet users should examine claims made in email messages and evaluate whether they make sense (e.g., a bank would not ask its customers to provide their account numbers since it already has this information).

Allowing individuals to place a "security freeze" on their credit files can help phishing victims protect against the fraud typically associated with the theft of sensitive personal information. The security freeze prevents credit file information from being disclosed for the purpose of opening a new account without the explicit consent, through the use of a password, of the individual. Currently, four states have laws that permit residents to place a security freeze on their credit files,9 and 20 other states proposed similar legislation during the 2005 legislative session.10



Summary

With an estimated 10 million consumers being victimized by identity theft each year,11 phishing represents a rapidly growing problem, putting the personal information of Internet users at risk for identity theft. While Internet users can limit their chances of being victimized by not responding to suspicious email messages, phishers will continue to use new strategies, such as Instant Messaging and spyware, to lure additional victims into disclosing sensitive personal information. Therefore, consumers need additional defenses against these frauds, such as the option to impose a security freeze on credit file information.




Footnotes
1 Another form of phishing, called "pharming," involves using computer program tricks to redirect Internet users from a legitimate site to a fraudulent site operated by criminals.
2 APWG. "Commentary to FDIC 'Putting an End to Account-Hijacking Identity Theft,'" Feb. 4, 2005, http://www.antiphishing.org/APWG-FDICCommentaryLetter.doc.
3 B. Sullivan. Your Evil Twin: Behind the Identity Theft Epidemic. John Wiley & Sons, Inc., 2004.
4 Federal Deposit Insurance Corporation (FDIC). "Putting an End to Account-Hijacking Identity Theft," December 14, 2004, http://www.fdic.gov/consumers/consumer/idtheftstudy.
5 Krebs, B. "Despite Efforts to Contain Them, 'Phishing' Scams Spread." Washington Post, Jan. 19, 2005.
6 APWG. "Phishing Activity Trends Report," June 2, 2005, http://antiphishing.org/APWG_Phishing_Activity_Report_March_2005.pdf
7 A host country is defined by the geographic location of the Web server maintaining the fraudulent site.
8 U.S. Department of Justice. "Special Report on 'Phishing,'" March 2004, http://www.usdoj.gov/criminal/fraud/Phishing.pdf.
9 California and Louisiana law allows individuals to proactively place a security freeze on their credit files, while Texas and Vermont law allows only individuals who are victims of identity theft to place a security freeze on their credit files.
10 Krim, J. "States Scramble to Protect Data," Washington Post, April 9, 2005.
11 Federal Trade Commission (FTC). Identity Theft Survey Report, Sept. 2003, http://www.ftc.gov/os/2003/09/synovatereport.pdf.

Written by Neal Walters, AARP Public Policy Institute
June 2005
©2005 AARP
All rights are reserved and content may be reproduced, downloaded, disseminated, or transferred, for single use, or by nonprofit organizations for educational purposes, if correct attribution is made to AARP.
Public Policy Institute, AARP, 601 E Street, NW, Washington, DC 20049

Topic Alerts

You can get weekly email alerts on the topics below. Just click “Follow.”

Manage Alerts

Processing

Please wait...

progress bar, please wait

Tell Us WhatYou Think

Please leave your comment below.

The Cheap Life

Jeff Yeager Cheap Life Ultimate Cheapskate AARP YouTube web series save money

Catch the latest episode of The Cheap Life starring Jeff Yeager, AARP's Ultimate Cheapskate. Watch

Discounts & Benefits

From companies that meet the high standards of service and quality set by AARP.

Life insurance: you are covered rain or shine

Exclusive annuities for members from AARP Lifetime Income Program from New York Life.

AARP Credit card from Chase

Members can get cash back rewards on purchases with the AARP® Credit Card from Chase.

Homeowners Insurance
Member Benefits

Join or renew today! AARP members receive exclusive member benefits & affect social change.

Rewards for Good

Your Points Balance:

Learn More

Earn points for completing free online activities designed to enrich your life.

Find more ways to earn points

Redeem your points to save on merchandise, travel, and more.

Find more ways to redeem points