Protect Your Identity
Phishers and other online thieves are targeting your money and personal data--and they're getting sneakier. Here's how to defend yourself, and how to erase the damage if you get scammed.Bob Tedeschi is an award-winning journalist and has written a weekly business technology column for the New York Times since 1998. PC World Senior Reporter Tom Spring contributed to this article.
Illustration by Stuart Bradford
Head discovered the fraudulent activity after receiving overdraft notices from the credit union, and spent countless hours over six months clearing her name and credit history. The only positive note: She caught the thief that got her.
Growing Problem
Identity theft is one of the fastest-growing crimes in the United States, with victim complaints quadrupling between 2000 and 2004, according to the Federal Trade Commission. Most victims are hit merely with credit card account hijackings, but for many others the situation is much worse. In the past five years, the FTC estimates, 10 million people have had criminals open new credit card accounts, secure utility services, or apply for mortgages under their names, spinning a web of deceit that can take years to unravel.
Authorities say that in many cases leaks leading to identity theft don't come from victims, and a glance at the headlines underscores the point: Thieves once stole tens of thousands of credit reports from the major reporting bureaus, and one Web site unwittingly made public thousands of client names and credit card information.
Meanwhile, doctors' offices, schools, and other institutions hold your information behind ineffective firewalls that are easy pickings for hackers and even easier pickings for unscrupulous employees.
But for phishing scams, the most rapidly expanding method of identity theft, consumers do bear some responsibility--and they can take back some control.
The instances of new, distinct phishing e-mail attacks are growing by about 40 to 50 percent monthly, and reached about 2000 total in July of this year, according to the Anti-Phishing Working Group, a multi-industry consortium formed last year to combat this type of fraud. In fact, such scams are so easy to create and so difficult to trace, thieves are abandoning other identity theft methods and setting up phishing camps. Worse, the scams are getting slicker, making it difficult for even the most observant users to tell the real from the fake. And soon phishers may disguise their hooks and use spyware, another plague of the Internet, to sneak into your PC and steal your information.
There is good news. Phishing and other forms of online identity theft can be prevented, authorities say, but it takes a more scrupulous approach to security--with, possibly, a minor cash outlay to get regular credit reports and software tools--and a lot of skepticism as you read your e-mail.
You can also add new weapons to your arsenal: Antiphishing tools have debuted from several vendors and from some ISPs, with others sure to follow (see " Don't Get Reeled In" for details).
Phishing Holes
You've probably seen lots of phishing e-mail. Scammers forge the "from" field of a message so it appears to come from a reputable company like Citibank, EBay, or PayPal, to name a few of the more popular aliases. It urges you to click on a link in the e-mail to update account information for some alarming reason--often because the "company" suspects that the account has been tampered with. The link leads to a Web address and page that look credible, and all you need to do is type in your information and click Send.
Then the mayhem begins.
Armed with your address and your Social Security, bank account, and credit card numbers, plus any other information the phishers have gleaned from you, they can engage in shopping sprees and even establish a new address bearing your name, along with a series of new credit card accounts.
Even the more discerning tech-savvy consumer can be scammed, as phishers in recent months have gotten more sophisticated, relying on software to mask the Web addresses of their "spoof" sites with the addresses of legitimate pages. Thieves make perfect copies of logos and graphics from the legit sites they mimic, and even insert malicious code on top of a trusted site so that you go to the right URL but enter your information into a pop-up window the scammers provide. On MailFrontier.com, the Web site of an e-mail security company, users can test their knowledge of legitimate and fraudulent e-mail. On average, the more than 200,000 people who tested themselves on ten sample messages failed to detect at least three fraudulent ones. And that's when they were looking for them.
Spyware in the Mix
More worrisome is the likelihood that, according to David Jevans, chair of the Anti-Phishing Working Group, there's a "coming convergence of spyware and phishing." Spyware that loads onto your PC and, for example, tracks your keystrokes and sends the data to criminals has largely been the province of sophisticated thieves and hackers. But with users wising up to phishing ploys, spyware appears to be the new weapon of choice.
With this type of scam, you would be invited to click on an image--to get a low-priced item or sweepstakes entry, for instance. With that click, you'll unknowingly download spyware onto your PC.
Phishers may have to wait longer for your personal information, but eventually it will come as they analyze your keystrokes and correlate that data with the sites you've been surfing.
According to a study last year by the nonprofit Identity Theft Resource Center, identity theft victims spend on average 600 hours and $1400 to clear their names and credit histories. The average amount fraudsters spend in their victims' names, according to the FTC report, is $10,200. The total loss to consumers due to identity theft has reached a high of nearly $4 billion, with no signs of slowing. Businesses have lost an estimated $33 billion due to such things as unrecovered merchandise and overhead to deal with the problem, the FTC says.
Easy Money
Identity theft in general, and phishing in particular, can be lucrative, but such theft has grown so much recently for a simple reason: It's easy to pull off.
Jevans says thieves sell and swap phishing kits "with everything--fake sites, e-mails, responder software that'll sit on the server and send data to you. All you need to do is set up a server or get some zombies and stick it on them." (A zombie is a PC used without the owner's knowledge to host malicious online activities.)
In some cases, Jevans says, the kits are simply "given away, just out of the badness of [these scammers'] hearts."
The rest is easy. Phishers simply send out mass e-mail to hundreds of thousands, or millions, of recipients and wait for a few unsuspecting people to respond.
Thieves face little risk. Many phishers set up shop in foreign countries, where it's harder for U.S. officers to nab them. Jevans estimates about 75 percent of phishing sites the group tracks are outside the country. And U.S.-based phishers often evade detection by using zombie PCs, or by constantly swapping server addresses.
New laws have helped a bit, experts say. Many state and federal statutes already cover identity theft with penalties of up to 15 years in jail; but in July, President George W. Bush signed legislation that further stiffened sentencing guidelines. Meanwhile, Senator Patrick Leahy (D-Vermont) has proposed a law under which phishers could get up to five years for setting up a spoof site and sending fraudulent e-mail, thereby showing intent to commit a crime. (Currently phishers must net a victim in order to violate laws.)
Because roughly 20 percent of phishers are foolish enough to publicly register domains for their spoof sites, experts say such laws could have bite. And the U.S. Department of Justice has made some progress in fighting identity theft.
However, law enforcement officials say users can't rely on such deterrence measures to protect them, simply because too many criminals are using ever-morphing methods for authorities to keep up.
Reclaiming Your Name
For identity theft victims, fast detection is critical. According to the FTC, when victims discovered within one month that their personal information was being misused, more than 90 percent were able to thwart the criminals from opening new accounts in their name, and incurred no monetary losses in the process. By law, consumers are limited to $50 of credit card liability when their accounts have been compromised, and in many instances credit card companies waive even that amount. But when victims didn't discover the misuse for more than six months, 45 percent found that criminals had opened new accounts in their name. Nearly half of those victims were charged at least $5000.
The first hurdle is perhaps the most galling: convincing credit card companies, credit reporting agencies, and sometimes even legal authorities that you are who you say you are. That process begins with obtaining a police report from the jurisdiction where the crime was committed. While it is usually easy to convince police that you are the victim and not the perpetrator--who, presumably, wouldn't step into a police department--getting a report is another matter.
Victims at times face resistance from local police when they ask for a report, with 28 percent of those who contacted police saying they were "very dissatisfied" with the response, according to an FTC survey. Getting the report is mandatory, even if you must go to different police departments, including local, county, and state offices. While there's little chance of police catching the thieves, you need the report to persuade financial institutions to clear your credit history.
Also, you should immediately contact the major credit agencies, Equifax (888/766-0008), Experian (888/397-3742), and TransUnion (800/916-8800), and request "fraud alert" status. Under a fraud alert (free to victims), companies that issue credit in your name are asked to call you before opening new accounts, so you can verify the validity of the credit request. Victims are eligible for free reports from each of the three major bureaus, as well. For extra protection, victims can extend the fraud alert status indefinitely beyond the initial period (90 days to a year, depending on the agency).
After contacting the agencies, sharpen your pencils and get ready to take a spin through the maze of corporate bureaucracy. You'll need to send letters and copies of the police report to fraud investigators--not to customer service representatives--at every company that issued credit to the identity thief.
The FTC's Web site includes a healthy section devoted to identity theft help, including form letters for disputing new, unauthorized accounts. The Identity Theft Resource Center offers a compendium of information, sample letters, and other resources, as does the Privacy Rights Clearinghouse.
IdentityTheft.org, the Web site of attorney Mari J. Frank, also provides tips and sample letters, and sells a more extensive book of forms and advice called Identity Theft Survival Kit for $80. She also wrote two other books on the topic.
Frank, who fell victim to an identity thief in 1996, says you should not get a lawyer unless credit issuers continue to hold you responsible for purchases you didn't make. "If you do all your work and they haven't done theirs, then go get an attorney. But if you just go to an attorney at the start and say 'I'm a victim,' that's not enough," she says. "Unfortunately, this is a self-help process."
Victims who follow the process diligently can expect their credit to be cleared within months, depending on the timeliness of their letter-writing campaigns and the responsiveness of the various companies. At that point, they can go back to life as normal--only this time, with a considerably diminished sense of trust in the world around them.
Shield of Law: Victims' Legal Rights
Credit
bureaus must provide victims with three free reports and, on request, place
free "fraud alerts" on their accounts to prevent further abuse, lasting 90 days
to a year depending on the agency.
Credit card firms can't hold you responsible for more than $50 in fraudulent charges if you can show that your card or card number has been lost or stolen. And you're not liable at all if you can prove someone else created an account in your name. Banks offer similar protection, but many users with debit card fraud problems will find recovering money difficult, says Linda Foley, co-executive director of the Identity Theft Resource Center.
Many services, such as PayPal, do not give you any liability protection--all you get is what your bank or credit card company provides with the debit or credit card you use to fund your account.
Police should provide you with an incident report to be used as evidence when you are pleading your case to creditors. If the local police say they're too busy, try a sheriff or state police department.
B.T.Security Tips: How to Keep Identity Thieves at Bay
Don't click on links or images in unsolicited
e-mail. If a company with which you do business asks you to contact
it, open a new browser window, type in the company's Web address, and log in to
your account. Otherwise, call the company.
Use a good spam filter. With the right filter, phishing e-mail messages may never even reach your inbox. Check out our list of top antispam tools in " Spam-Proof Your Inbox" from the June issue.
Install spyware detection software. Lavasoft's Ad-Aware and Spybot Search & Destroy have versions that are free for personal and noncommercial use. These programs ranked at the top of their class in our June security superguide, " Bigger Threats, Better Defense."
Consider a credit monitoring service from one of the major credit bureaus. For $44 per year, for instance, TransUnion's Identity Fraud Watch service sends weekly e-mail notices reporting changes to your credit profile. Equifax and Experian cost a bit more--$100 and $120, respectively--but they also give you access to your credit reports. Consumers in California and Texas can also request a "credit freeze," whereby potential creditors access your credit report only with your authorization. (Each time you open your credit report to a potential creditor, it costs $8 per agency, and another $10 to freeze the report again.)
Review your credit card charges. Fraudsters will often make small charges over a period of time to avoid detection.
Keep credit card information and so forth off your computer's hard drive. Store such data on CD-RWs instead--and keep the discs out of your drive when you're not using them so hackers can't get at the data. If you must keep such data on your drive, protect it with something like Password Agent, which has a free limited version and costs only $20 for an unlimited version.
Keep your Social Security number as private as possible. If companies use it as part of your account number or ID card, request that the number be changed (but note that the companies are not obligated to make this modification).
Get a credit report twice a year. As of December, federal law entitles consumers to one free, yearly report.
B.T.Don't Get Reeled In: Antiphishing Tools
We took an informal look at a few utilities that claim to help you
tell fake sites from the real deal to see how well they work. None is a
panacea, but the tools are a good first step. Note that some online stores and
financial services now offer their own tools, as well, such as EBay's
Account Guard software on its
downloadable toolbar.
CoreStreet SpoofStick: Free toolbar extension to Internet Explorer and Mozilla Firefox browsers.
What it does: This toolbar prominently identifies the URL of the Web site you are visiting. The tool worked well for the suspicious, all-numbers address of the phishing site I tried, but this approach won't be as effective if thieves use a clever URL that closely mimics the legit company's own address. And SpoofStick won't alert you to scams that direct you to a legit site but open a pop-up window to get your data, because pop-ups can't show its toolbar.
EarthLink ScamBlocker: Free toolbar for most browsers.
What it does: ScamBlocker keeps a list of known fraudulent sites and redirects you to an alerts page on EarthLink's servers when you try to access such a site. This was the only tool that identified a known phishing site and prevented my browser from loading it. But its effectiveness depends on a current and complete list.
GeoTrust TrustWatch: Free toolbar for IE 5.x and later.
What it does: This program monitors the sites you visit and rates their safety with a color code: green for safe, yellow for caution, and red for known fraud site. In my trial of a beta version, most sites came up yellow, which quickly desensitized me to the alert, and it failed to catch a known phishing site I visited. Like SpoofStick, this program won't alert you to scams that use pop-ups because pop-ups can't display its toolbar.
WebRoot Phish Net: Free program, compatible with Internet Explorer 5.5 and later.
What it does: You input your sensitive data--including passwords, bank account and Social Security numbers, and user names--and Phish Net encrypts and stores that data on your PC so that it can tell when you're divulging info. It monitors you online, checking for visits to known phishing sites. The tool alerts you when you type in sensitive data at an unknown site or one known to be fraudulent. I looked at a beta version that did not have access to the list of blocked sites, but it still warned me against sending information to the phishing site I visited because the site was not on the Trusted list; you can override this if you know a site is legit.
Tom Spring