The Facts On 'Phishing'

Here's more from Randall Pinkston's report on the dangerous Internet crime known as "phishing." Below are excerpts from Pinkston's interview with Internet security expert Michael Weider, founder and CEO of Watchfire.

Phishing is rapidly becoming an enormous problem for both consumers and online banks. The Gardner Group estimates that last year, it cost online banks about $1.2-billion. That's a pretty big number and over the last year, the number of phishing attacks has grown eightfold – in one year alone – so it's becoming a huge problem.

What are your chances of being phished?

The chances that you have gotten an email that was pretending to be from your bank, a fraudulent email, is probably pretty high. It comes in the form of spam and if you've got spam you've probably been phished before.

The whole concept is based on fooling you to give scammers information you really didn't want to give.

Is the spam type email the most common means of phishing?

The spam is definitely the most popular that we've seen because it really is the easiest to do. Spam is very popular. We've seen enormous rise in number of spam phishing attacks.

There is a second technique that's even more insidious and this is where you have the scammer put a keystroke logger on your machine and it's actually logging your keystrokes as you log in your user name and password; as you log into an online bank or an e-tailing site. That's even more dangerous because you don't even have to respond to an email anymore, it's just happening in the background and watching what you do.

Keystroke logging, is that a form of spyware?

That's exactly what it is. There's lots of spyware; relatively harmless ad pop-ups. Keystroke loggers are extremely dangerous and they can be capturing your information, sensitive information to get into your online banking sites or other purposes.

How does spyware keystroke logging get implanted on the machine?

There's a couple of different ways that it can happen. One is that you've downloaded, inadvertently, a piece of software and these spyware programs come attached to that. So you've downloaded one program thinking it was for one purpose but these spyware programs piggyback and install themselves in your machine.

In other cases, they're sent through email where people send an email and these programs are attached.

In other cases, consumers have, their machines, their PC's, are vulnerable to being compromised by attackers remotely. So, if you have a broadband Internet connection, for example, that's always on and it has security vulnerability that you're unaware of, these hijackers can compromise your system and then install these programs without your knowledge.

I'm downloading a music file. Any danger of picking up unwanted spyware?

If you're downloading it from some of the quasi-legal p-to-p file sharing programs like Kazaa and these other networks there is a danger that you could be downloading something that you don't really think you're downloading.

Let's say your kids are downloading programs from Kazaa, but you really have no knowledge that they're using the PC for these purposes and you're doing the online banking and, not knowing that they've potentially downloaded something, got spyware attached. Now it's logging your keystrokes, and then you go on your online bank and all of sudden some scammers have captured your online information.

How likely is it that a legitimate download would also come with unwanted spyware that can pick up your credit cared account?

It's pretty rare. It is definitely more obscure than the email attacks. However, it is increasingly popular because the people are becoming aware of these fraudulent emails. They see them and immediately delete them saying, "that's a fake." Whereas, with keystroke logging, you don't have to fool someone, you just go to your online bank like you normally do and they capture your information and it's all done without your knowledge. And so, as people become more educated about the obvious scams, these newer ones are taking over that are a little more difficult to detect.

How do you know a scammer has been 'phishing' your system?

The end result, which is that people have pilfered your bank account or taken out loans in your name and you're getting questions back from people saying, "What are these transactions?" That's one way, that's the bad way cause you've already been compromised.

What should consumers do to avoid being victims?

Be careful who you do business with. Never respond to an email asking for urgent info; your bank will not ask.

Protect your equipment and software. Microsoft has a Windows update. Make sure your Windows and browser are up to date because often vulnerabilities compromising people's machine are already patched by Microsoft – but many consumers don't install the fixes.