Reports of phishing attacks up, again, in May

BOSTON - Incidents of phishing, a type of online identity theft, were up slightly in May, after surging in March and April, according to a report from an industry group.

The number of unique phishing attacks reported to the Anti-Phishing Working Group increased 6 percent in May to 1,197, with an average of 38.6 reports each day, slightly higher than in April. The numbers could have been higher, but scam artists may have taken a break for Memorial Day in the U.S., keeping the final tally low, the report said.

Phishing scams are a form of online crime in which unsolicited commercial ("spam") e-mail is used to direct Internet users to Web sites controlled by the thieves, but designed to look like legitimate e-commerce sites. Users are asked to provide sensitive information such as a password, social security number, bank account or credit card number, often under the guise of updating account information.

Financial services companies continued to be the primary target of the scams, and Citibank Inc. customers were the most frequent target of phishers. Scams using the names of eBay Inc. and Paypal Inc., an eBay company, were also rampant in May, said the group, which is sponsored by Microsoft Corp. , VeriSign Inc. and antispam company Tumbleweed Communications Corp., among others.

Phishing scams have surged in recent months to 1,100 in April, a 178 percent increase from March, according to figures from the Anti-Phishing Working Group's April report. In May, the group received reports of over 300 attacks a week, with a big drop-off the week of May 29, possibly due to the Memorial Day holiday, the report said.

Faked sender, or "from" addresses on e-mail messages continued to be a popular tool of scam artists. At least 95 percent of e-mail messages submitted to the Anti-Phishing Working Group used such addresses.

The spoofed addresses are frequently identical to legitimate addresses at the companies being targeted by the phishers, for example: support@citibank.com and billing@aol.com were common spoofed addresses. The remainder of phisher e-mails submitted to the group came from so-called "social engineering addresses" -- online mailboxes at domains run by the scam artists that resemble actual e-commerce sites. The domains, such eBay.billing.com, instead of ebay.com, or verify-visa.net, as opposed to visa.com, are designed to fool customers, the report said.

The phishing problem has received increased attention from the private sector and governments in recent months, as online criminals have seized on the scams as a lucrative and relatively simple way to make money.

On Tuesday, credit card company MasterCard International Inc. said it was partnering with NameProtect Inc., an online brand protection service, to combat online identity theft and a black market in stolen credit card numbers. The two companies plan to aggressively pursue those behind phishing scams and work with law enforcement to shut down Internet sites and tools used by the identity thieves, the companies said in a statement.

Also, on June 16, a consortium of companies from across industries announced a new group that will tackle phishing. The Trusted Electronic Communications Forum (TECF) has representatives from leading retail, telecommunications, financial services and technology companies, including Best Buy Co. Inc., AT&T Corp., Charles Schwab & Co. Inc., Fidelity Investments Inc. and IBM Corp.

The TECF will work with the U.S. and other governments, as well as standards organizations and companies to fix problems such as e-mail and Web-site spoofing, which contribute to a fast-growing online identity theft problem, the group said.