Coalition calls for action on phishing

Internet service providers (ISPs) and e-commerce sites can employ more tools to combat phishing scams, including "white lists" of legitimate Web sites and using false identification information to scam the scammers, according to a report released Thursday.

The report, released by a coalition of consumer groups, technology vendors, financial services organizations and law enforcement agencies, also calls on Internet companies to step up their consumer education efforts.

Among the more novel techniques recommended by the group was for Internet companies and law enforcement agencies to enter false information, such as bogus credit card numbers, into phishing Web sites, allowing police to find phishing scammers by tracking the use of those false numbers.

"This type of disinformation done by the good guys can be used to track the bad guys," said Peter Swire, a law professor at the Ohio State University and collaborator on the report, titled "A Call for Action."

The report also calls on technology companies to build antiphishing security into products and for ISPs and domain name registrars to explore using both white lists and black lists to separate legitimate Web sites from phishing sites. An industry black list of known phishing sites could help ISPs flag or recall phishing e-mail messages before the recipient opens the e-mail, Swire said. The average piece of e-mail sits in an inbox for about 12 hours before a recipient opens it, he said.

In a typical phishing scam, a scammer sends out spam telling recipients to update their personal information at a banking or e-commerce Web site. The e-mail includes a link to a fake Web site designed to look like a real bank or e-commerce site, and Internet users who enter their personal information become victims of identity theft.

About 2.2 million Internet users become victims of ID theft every year through phishing scams, said Barbara Span, vice president of public affairs at First Data, which provides the backbone for secure financial transactions online and at retail outlets.

The 57-page report, published by the National Consumers League, came from discussions during a three-day retreat on fighting phishing organized by the consumer group in September.

A broad group of organizations must "work together if we're going to have a significant impact on the tidal wave of phishing," said Susan Grant, vice president of public policy for the National Consumers League.

Participants in a Thursday press conference expressed concern that Internet users are becoming more wary of conducting business online because of phishing scams and other cybersecurity problems.

The report recommends that Internet companies study phishing scams to learn how phishers operate, and calls for better authentication technologies, for both Web sites and users.

Version 7 of Microsoft's Internet Explorer browser includes a toolbar that warns users of potential phishing sites, noted Frank Torres, director of consumer affairs at Microsoft, one of the corporate sponsors of the phishing retreat.

"There's a role for everyone to play in fighting the bad guys," Torres said. "The way we get better is through working collectively."