Phish This, You Scum

• Phishing Is Big Business. The working group says there were 402 different phishing messages reported in April 2004. That's a sharp rise from 282 in February and only 176 in January.

• Banking and E-Commerce Are Targets. According to APWG, eBay usernames and passwords were most sought-after by phishers, with 110 separate attacks reported in March 2004. Other popular targets that month were Citibank (98 attacks), PayPal (63), Fleet Bank (23) and Barclays (11).

• An International Sport. The majority of attacks, APWG figures indicate, originate in Asian or Eastern European countries. This helps to explain the fractured English that's often found in the widely distributed messages. ("Your bank account has been temporaily closed cause of explicit fraud activity," reads one phishing message in APWG's archives.) But the e-mails, which usually bear exact copies of banking or e-commerce logos, are convincing enough that APWG says up to five percent of recipients obey the instructions.

The Birth of an Anti-Phishing Toolbar

The collection of phishing messages that APWG collected was studied by Earthlink in the development of its anti-phishing utility, according to Dan Mayer, director of product marketing for Tumbleweed and a spokesman for the coalition. The result is a toolbar that users may download free. It automatically adds itself to the menu area of Internet Explorer and other Web browsers. The download is similar to an earlier toolbar developed by eBay that helps bidders track auctions and avoid known fraudulent sites.

I downloaded and tested ScamBlocker, which also includes an effective pop-up blocker and a limited search bar powered by Google. When I tried to visit fraudulent sites that are listed in the APWG's archive of reported phishing attacks, my browser was redirected to an Earthlink page that reads, "The Web address you requested is on our list of potentially dangerous and fraudulent Web sites." Additional helpful information, free from geek-speak jargon, was also provided.

The Future of Anti-Scam Efforts

The concept of getting a warning before you visit a fraudulent site — instead of after you get an outrageous credit-card bill — is one of the most promising improvements in the Web I've seen in a long time.

I can already envision other messages that browsers could display regarding certain Web logs: "Warning! The blog you are about to visit is known to publish large quantities of drivel."

For now, however, Earthlink needs to concentrate its efforts on strengthening its phishing-site database. "It's nontrivial to identify these things," says Mayer with obvious understatement. "What eBay and Earthlink are currently identifying is only the reported phishing attacks, not all detected attacks."

Mayer explains that Earthlink, a member of APWG, has signed a contract with Brightmail, a major spam-filtering service, to detect phishing attacks in real time. But that won't begin until May or June.

In the meantime, phishing has become such a menace that many companies are joining APWG just to get a handle on how such scams might affect their good names. The list of corporations on the group's steering committee is private — "The banks were concerned about being identified because they don't want to become the poster boys for phishing," Mayer says — but it includes the majority of the top 20 banks in the U.S. and most major ISPs, he assures me.

Conclusion