honoluluadvertiser.com

Sponsored by:

Comment, blog & share photos

Log in | Become a member
The Honolulu Advertiser
Posted on: Tuesday, May 30, 2006

Fraudulent e-mails harder to detect

By Greg Wiles
Advertiser Staff Writer

AVOIDING TROUBLE

People can take steps to protect themselves against "phishing" e-mails by:

Being suspicious of any urgent e-mail requests for financial information, even if it looks like it's from your own bank.

Never using links within an e-mail to get to a Web page if the message looks suspicious.

Avoiding filling out forms within e-mail messages that ask for personal information.

Calling the business that is requesting the information to ask whether the e-mail is genuine.

Installing Web browser toolbars that help protect against known phishing fraud sites. One is available at www.earthlink.net/earthlinktoolbar.

Using up-to-date anti-virus software, a firewall program and checking for the latest security patches for your Web software.

Making sure you have encryption when using wireless networks. A new trend is "Wi-phishing," or scammers that cruise neighborhoods looking for unencrypted networks.

Source: Anti-Phishing Working Group, Better Business Bureau of Hawai'i

spacer spacer

FIGHTING FRAUD

Report suspicious e-mails to business and government. Forward them to:

• The Federal Trade Commission: spam@uce.gov.

• Go to the business’s Web page and see if they have an address to forward the e-mails. For example, PayPal’s is spoof@paypal.com.

• Anti-Phishing Working Group: reportphishing@antiphishing.com.

spacer spacer

Honolulu resident Rich King receives more than 300 e-mails at work and home each day, though he doesn't bother to read many of them. That's because he's wary of messages that are "phishing" for his personal information or are otherwise malicious.

"If I see anything that doesn't make sense to me I put it in the deleted files," said King, who helps manage data centers for the Hawai'i Medical Service Association. "If it's that important they can resend it."

Phishing — fraudulent e-mails aiming to trick people into giving financial account or other information — continues to grow. But where some of the past messages were obvious scams coming from people saying they were from Nigeria soliciting help, more cunning thieves are claiming to be local banks.

In the past year thousands of bogus e-mails have been sent to people in Hawai'i purporting to be from American Savings Bank, Bank of Hawaii and First Hawaiian Bank. The e-mails appear to be official, with logos of the institutions and requests to change passwords or confirm or update information.

"The attacks are getting more sophisticated," said Kenneth Newman, American Savings vice president of security. "There's probably some sort of belief that the smaller institutions don't pay as much attention."

In American Saving's case the spoofed e-mails were detected quickly, probably within hours of their being sent, Newman said. A link in the e-mail took people to what appeared to be American Savings' site, but actually was a fake Web page that hackers had placed on a server in France with weak security procedures.

Newman said the bank and its vendors were able to find and have the page taken down within 24 hours of the phishing e-mail. He said the phony e-mail came from multiple compromised computer servers and the culprit wasn't found.

The attack was the first on American Savings' customers and was notable in that it apparently used an e-mail list that targeted Hawai'i residents. Newman said it appeared that the addresses were harvested from a local Internet service provider's site.

That compares to old-school phishing efforts in which millions of messages are blasted out trying to hook customers of national brands, such as Citibank, PayPal or Wal-Mart.

"It's not just the blanket approach to phishing attacks anymore. They're much more targeted," said Ronnie Manning, of San Diego-based Websense Inc., a Web security software maker.

"It's almost if you look at the evolution of phishing, you can tell as the attackers get more advanced there's almost a success rate that's happening with it."

The Anti-Phishing Working Group, which tracks fraudulent e-mails and their trends, reported a 21 percent increase in phishing reports in April. The group has said there are some disturbing trends in phishing, including linking to Web pages that download malicious software onto computers that log keystrokes.

The problem is such that the Hawaii Bankers Association ran an ad campaign with tips to avoid identity theft, including being netted in a phishing scam.

Bank of Hawaii customers were the target of a series of phishing e-mails sent in March, while First Hawaiian customers were sought in a mailing last year. Gary Caufield, First Hawaiian vice chairman, said it appears thieves are using the information to make dummy cards that can be used at automatic teller machines in foreign countries.

He said First Hawaiian has boosted its safeguards for finding and containing phishing attacks, including training employees to watch for suspicious e-mails and asking customers to forward any dubious messages they receive.

"The key is to move real quick," Caufield said.

Honolulu-based Central Pacific Bank was quick to send an e-mail this month when a customer queried it about a message received from "Central Bank." CPB told customers that an e-mail asking people to renew information was bogus.

Wayne Kirihara, bank senior vice president, is also taking steps to educate senior citizens about identity theft and phishing attempts through a series of community presentations and a half-hour game show that begins its run at 6:30 p.m. June 16 on KFVE.

The best defense against phishing e-mails may be to be on guard against messages from unfamiliar sources, in much the same way King ignores them. Banks almost uniformly say they never send e-mails requesting information and that, when in doubt, people should call the bank.

"One of the things that we tell people is that they should never give out personal information online, or over the phone for that matter, unless they have initiated the contact themselves," said Chris Van Marter, Honolulu deputy city prosecutor who heads the white-collar crime unit.

"If they follow that rule, that will go a long way to protect themselves from ID theft online."

Reach Greg Wiles at gwiles@honoluluadvertiser.com.