Search This Blog

Friday, November 02, 2007


I hate to keep belaboring the fact, but the identity crooks are improving their technology and strategies significantly faster than the security forces employed to outwit them, putting the consumer behind the proverbial eight ball. Phishing fraud has been around for awhile now; the act of receiving an e-mail posing as a reputable company which usually directs you to another site where you are asked to give them your sensitive data to update your account. The bad guys use banks, PayPal, supposed lottery winnings including Publishers Clearing House, even the FTC and IRS, and a host of other gimmicks. A recent MSNBC article portrays the use of government entities to pull off the deception, but it also has some dark statistics. The number of phishing sites more than doubled between May of 2006 and 2007, according to the Anti-Phishing Working Group. And Consumer Reports says consumers have lost $630 million to phishing scams in 2005 and 2006. CR also estimates that 8.2 percent of online households have given up their private information to fraudulent e-mailers in the last two years. But this is only the tip of the database. You may recall giving your e-mail address to several companies you deal with regularly, like your bank, your pharmacy, your doctor, loyalty programs at the super market; just about every business you deal with today at least asks for it. Obviously the address is stored for immediate access when needed, but it does not carry the same level of security as, say, your Social Security number. In a recent incident reported by The Washington Post, a vendor for SunTrust Bank,, had a database of 40,000 e-mail addresses and other contact information stolen, which have been used by phishers to contact SunTrust customers. A bank spokesperson says around 500 customers received phishing e-mails, and a “handful” fell for the scam. That handfull has already lost $9,000, and, based on experience, there will be more. The WP article raises a serious question that should be dealt with by Congress immediately: Should we make e-mail addresses the kind of private data that requires companies to notify the owner when there is a breach? My answer is yes, and here is why. Compared to the average phishing fraud where the recipient has no connection with the bogus organization used, a stolen e-mail address, particularly with other contact information, can personalize the con and make the individual targeted really believe it is coming from a company with which they have a trusted connection. Junk mailers have been personalizing mail to its customers for years, so it is only natural the bad guys would pick up on something that does work well. On the other hand, e-mail addresses are just like Social Security numbers; they are everywhere and generally easy to get. But the big difference is the connection between the address and a company which lends it the necessary credibility, and that is why we need to begin to secure this medium before this newest hoax gets out of hand.

No comments: