Thursday, October 06, 2005

Local Phishing

As all Internet users ought to know by now, phishing is an e-mail tactic used by identity thieves to get people to reveal sensitive information. You get an e-mail purporting to be from a bank, Internet service provider, online auction site, etc. that asks you to update your acount, confirm your credit card info, enter your password, etc. The e-mail says to click on a link, but that link does not take you to the actual company's web site--it takes you to a bogus site set up by the phishermen* casting for your personal information (I should note that there are a few more devious phishing techniques that use scripts from company sites to give the impression of legitimacy). Companies that need this sort of information should never request it by e-mail because they know all about phishing. It has been such a problem for EarthLink that they have a place on their support page where users can enter URLs to verify whether they are truly associated with EarthLink (they often have derivative names such as or

I have received dozens if not hundreds of phishing messages. Most are easy to spot--I don't have an account with that particular bank, or I get an eBay confirmation message at an e-mail address that I have never given to eBay. Also, many phishing messages contain poor spelling and grammar. The majority of messages target account holders in big companies like Bank of America, U.S. Bank, PayPal, America Online, EarthLink, eBay, etc. Today I was surprised to see a message from Harris Bank, which is located in the greater Chicago area except for some ATMs downstate and a few snowbird/retiree branches in Arizona and Florida. As a relatively small player in banking, Harris is an unlikely target. Since my ISP is national, I wonder whether my e-mail address was harvested from a list that tied it to a specific location. That would be a rare degree of sophistication for phishing, and perhaps it catches people offguard. Of course, I didn't fall for it--I have never had a Harris Bank account!

* I made up that word--they are actually calls phishers, not phishermen.

No comments: