Feds, Private Groups to Educate Consumers About 'Phishing' Scams
By David McGuire washingtonpost.com Staff Writer
Thursday, June 17, 2004; 4:47 PM
The federal government and some of the nation's leading consumer organizations and financial institutions today kicked off a campaign to educate consumers about the growing threat posed by "phishing," a sophisticated form of identity theft conducted via e-mail and counterfeit Web sites.
Visa USA, the Federal Trade Commission, the Better Business Bureau and the other coalition members said they plan to work together to teach consumers how to avoid phishing scams and to report suspicious e-mail to authorities.
Phishing scams are designed to trick computer users into divulging sensitive personal and financial information. The Anti-Phishing Working Group reported recently that the number of unique phishing scams making their way around the Internet rose 180 percent from March to April of this year.
A typical phishing scam starts with an e-mail disguised to look like it's coming from a respected bank, credit card provider or online retailer. The message often warns the recipient that certain account information has lapsed and provides a link to an official-looking Web site where a user can "update" such information as Social Security numbers, birth dates, and credit card accounts.
"The advice to consumers is simple: Don't click on the link. If you do, you may be the catch of the day," said Howard Beales, director of the Federal Trade Commission's Bureau of Consumer Protection. Beales joined other coalition members today at a press conference in Washington.
The FTC today also announced that it had settled cases against a pair of identity thieves -- Zachary Hill, 20, of Houston and an unnamed minor from New York -- who had colluded to send phishing spam. Hill also faces a possible 46 months in prison under criminal charges brought by the Justice Department.
The combination of law enforcement and public outreach is needed to tackle phishing, said Wayne Abernathy, the assistant secretary for financial institutions at the Treasury Department. "We cannot solve this problem with education alone, but we cannot fight this problem without education."
As part of the new campaign, Visa will be providing brochures about phishing and other forms of identity theft to the banks that issue its cards and recommend that the banks include the information in monthly bills sent to their customers. All of the members of the coalition will also provide links to anti-phishing information on their Web sites. Call for Action, an international clearinghouse for consumer information, is also providing a free identity theft hotline (1-866-ID-HOTLINE) partially funded by a grant from Visa.
Beales encouraged Americans to forward any suspicious e-mail messages to the FTC at email@example.com. Such information is valuable, he said, because it helps investigators track scam artists, many of whom change their Web site locations and e-mail addresses frequently in an effort to frustrate law enforcement officials. Consumers can also send suspicious mail relating to their visa cards to firstname.lastname@example.org.
Neither the FTC nor Visa keep statistics on how much money consumers have lost to phishing scams, but identity theft topped the list of consumer complaints to the FTC in 2003 and Internet scams accounted for more than half of all fraud complaints. In a 2003 study, the FTC found that 9.9 million Americans had fallen victim to identity theft in 2002 at a collective cost of nearly $53 billion.
Visa USA Executive Vice President Doug Michelman said the company spends more than $100 million a year on anti-fraud efforts, with the anti-phishing campaign representing only a small fraction of that amount. He would not say how much the company had invested in the program.
Beales stressed that legitimate companies rarely if ever send e-mail asking customers for sensitive data. Customers who have any question about such a request should go directly to the company's Web site by typing the company's Internet address into a browser window, rather than by clicking on a link in a suspicious e-mail.
Earlier this week, a number of private-sector firms announced the formation of a new group -- the Trusted Electronic Communications Forum -- that will work to design technical solutions to the growing phishing problem.
By Caroline E. Mayer and Griff Witte
Washington Post Staff Writers
Monday, July 19, 2004; Page A01
the processors involved, InterBill and Universal Processing Inc., declined to comment. The third firm, Payment Resources Inc., Law enforcement officials say it has been surprisingly easy for crooks to win a consumer's confidence and convince them to give out their checking account numbers over the telephone or on the Internet. The officials suspect thieves have also obtained bank account numbers from checks sent to unscrupulous mail-order suppliers that offer goods that either are never delivered or are valued at far less than what was promised. Lists of these customers are then sold to other firms, some operating legally, some not. obtained a list of names and account numbers, but from where -- a merchant, a telemarketer, a list broker, a financial processing firm -- is still in question. The FTC believes that the list is a few years old; nearly 70 percent of the attempts to take $139 from individual accounts were canceled or returned because of bad account numbers, fraud protection measures at the banks or vigilance on the part of bank customers who noticed the fraud and reported it. debited from checking accounts, mostly through unsigned paper checks Increasingly, officials worry that thousands of consumers have been tricked into giving out bank information by responding to bogus e-mail messages that appear to come from banks, or Web sites like eBay or PayPal. The tactic, called "phishing,"
WHY CAN’T THE CUSTERMER HAVE STANDING ORDERS ? ? ? The Federal Reserve Board is considering rules that would require a merchant's bank to be liable for unauthorized customer charges made through the unsigned checks, called demand drafts, such as the one posted to Greene's account. Currently, it is up to the consumer's bank to refund the money if it decides the draft is unauthorized.
There are no federal rules instructing banks what to do when a depositor challenges an unsigned paper check. only banks had access to account numbers. On the front line, there are the merchants who traditionally have not been held to the same kind of strict security rules for managing sensitive customer information as have banks, Behind the scenes are third-party processing firms that handle many of the transactions for merchants, depositing customer checks into banks or processing the customer's electronic account information. These companies weaken the connection between the bank, which is obligated under law to "know the customer," and the merchant who is generating the payment request.
"Third-party processors play a pretty major role in the payments business," said Elliott C. McEntee, president and chief executive of NACHA, the electronic payments association. "When a bank permits a third party to process transactions on behalf of a merchant, it's putting a lot of confidence in the third party" to make sure that the merchant is legitimate.