Phishing on the increase, group says

Online phishing schemes increased significantly in October as financial institutions struggled to combat attempts to steal private account information from online consumers, according to the Anti-Phishing Working Group (APWG).

Last month, 1,142 sites were used for phishing, up 110 percent from the 543 sites reported in September, according to the report issued this week by the APWG, a consortium of law enforcement, financial institutions and computer-security firms that tracks the online attacks.

Almost 6,600 different phishing messages were reported to the group in October. The number of unique phishing e-mails has grown an average 36 percent each month since July, said Peter Cassidy, secretary general for the group. "Organized crime has embraced this technology and automation has increased the availability of phishing technology. They've become much more sophisticated," he said.

Phishing occurs when scam artists send fraudulent e-mails to consumers to lure them to Web sites that appear to be the home page of a well-known financial institution. The e-mails instruct the consumer to leave account information on the site, which the scammers then use for identity theft. According to the Federal Trade Commission, more than 10 million Americans were the victims of identity theft last year, with an estimated 57 million Internet users receiving a phishing e-mail.

The financial services industry has been the hardest hit. A phishing e-mail making the rounds last month was designed to appear to be from Citicorp, one of the nation's largest banks.  Last year phishing scams cost banks and credit-card companies $10.2 billion, according to a recent Gartner report.

Banks are trying to combat phishing by educating their consumers about "spoof" e-mails. Several banks include information about phishing on their Websites and in monthly statements. The APWG has been expecting the phishers to begin targeting regional and local banks with their attacks, but that has yet to occur, noted Cassidy. "The phishers have not really broadened their attacks beyond established brands such as Citicorp and Bank of America," he said. The number of brands subjected to the largest numbers of phishing attacks did increase, rising from four in July to six in October. "Yet, you would really expect it to be more. We think that will happen, but that is taking a little longer than we expected," said Cassidy.

The APWG is also warning companies and users of a new form of fishing that runs a script just when an e-mail is opened. The new technique has only been detected in Brazil, but is probably being tested for wider deployment, said Cassidy.

In August, the Justice Department said it had arrested, charged or convicted more than 150 people related to criminal activity on the Internet. Many of the cases centered on phishing schemes. The FBI has reorganized its efforts to combat cyber crime, in large part because much of the illegal internet activity comes from international crime rings.