transcript of Parry's appearance from EST Dec. 7, 2004 CNN Insight (International) on Phishing
HOLMES: There's a new kind of fishing and a new kind of bait and computer users are paying the price.
The scam is called phishing. That is phishing, with a "ph". The FBI says it is the fastest growing online fraud scheme.
Again, Daniel Sieberg explains how it works.
SIEBERG (voice-over): Susanna Trotter of Richmond, Virginia bought her first computer in 1999. Within three months, her credit card number was stolen.
SUSANNA TROTTER, VICTIM OF INTERNET FRAUD: I got an e-mail from AOL saying that they needed to check my billing.
SIEBERG: Though the message looked real, it was not from AOL -- a corporate sister of CNN, by the way. It was from an online con artist and when Susanna clicked on a link inside the e-mail, it directed her to what appeared to be a customer service page, complete with legitimate links, logos and all the right language. It even had dropdown menus to select her choice of credit card. She was being duped by a very clever identity thief.
TROTTER: Well, the first thing I noticed was on my credit card that there was a charge that I didn't recognize.
SIEBERG: The thief had used the stolen credit card number to purchase some rather lewd content online.
TROTTER: And I called and it was a company out in California. And after much cajoling, I got the girl to tell me that it was an adult entertainment site. And I knew I hadn't signed up for that.
SIEBERG (on camera): The company, of course, was tricked, too. It had nothing to do with Trotter's stolen credit card information. The scheme is called phishing, spelled with a "ph", not an "f". And scammers cast wide nets in the form of mass e-mails, hoping to reel in unsuspecting victims who think the messages are legitimate.
Sometimes, however, their tactics backfire and they hook the wrong guy.
(voice-over): An FBI agent in the Norfolk field office received the same phony AOL message as Susanna. His name is Joe Vuhasz, but we can't show you his face for investigative reasons.
JOE VUHASZ, FBI AGENT: I think there is some sort of irony in the fact that they were sending the e-mail messages out in such abundance that it just so happened that I happened to get one. And one of the things that I specialize in is cyber crime. So I think there is some sort of poetic justice.
SIEBERG: The phishers had hooked an FBI agent and he had the means to track them down. Helen Carr and George Patterson are now serving time in federal prison. Their lure of choice was AOL, but other common phishing e- mails purport to be from eBay, PayPal, Citibank and U.S. Bank, among others.
EILEEN HARRINGTON, FTC CONSUMER PROTECTION BUREAU: Phishers send out huge volume of e-mail to people who may or may not have accounts with the companies that they pretend to be on the theory that these companies do so much business that some of the people who receive these e-mails are bound to have accounts or have done business with them and will bite.
SIEBERG: According to one study, 57 million U.S. adults believe they've received a phishing attack e-mail. It's estimated that 11 million of those people actually clicked on the e-mail's links to the fake Web sites.
And the trend is on the rise, according to the Anti- Phishing Working Group, with a 52 percent average monthly growth rate through June 2004.
The Federal Trade Commission operates the largest consumer complaint databases in North America. Eileen Harrington says phishing is becoming a huge problem, but it's a crime that's completely preventable.
HARRINGTON: Do not ever provide account information, a PIN, a social security number, any kind of personally identifiable information like that in response to an e-mail, even if you think it's from a legitimate and reputable company, because that's not the way that these companies do business.
SIEBERG: Susanna was able to reverse the charges on her credit card, but was rattled by the whole experience.
TROTTER: I had felt like I was safe. I didn't know enough to realize I wasn't safe. And sure, ever since that happened, I'm very, very careful.
SIEBERG: On the Internet, seeing is not believing. The logos, language and look of anything online are very easy to copy. If you think your billing records need updating, don't take the e-mail's word for it. Contact the company independently and directly yourself.
Daniel Sieberg, CNN, Atlanta.
(END VIDEO TAPE)
HOLMES: This is a growing problem. What can computer users do to protect themselves from such Internet scams as phishing?
Well, joining us now to talk about this is Parry Aftab a lawyer who specializes in cyber crime and is the executive director of WiredSafety.org.
Thanks so much for your time.
One figure I read was that 5 percent of people fall for phishing expeditions, if we can call it that. That is a lot of money potentially.
PARRY AFTAB, WIREDSAFETY.ORG: It's a lot of money and it's a worldwide problem, not just one in the United States.
HOLMES: How much money are we talking about?
AFTAB: Billions and billions and billions, because we have no way of really knowing. And the interesting thing is that you talked about the FBI agent who was phished. I've been phished. And when people come to the person who runs a group with thousands of volunteers to protect others, you know that if I am almost caught, other people who don't know as much will be caught for sure.
HOLMES: Tell me this, what is the first indication that you've been had? Is it that suspicious purchase on your credit card? Is that normally the first anyone knows that they've been phished?
AFTAB: Well, if they're phishing your credit card, you'll found out on a statement. And in the United States we have different legal protections than you do outside of the United States on being able to challenge your credit card for fraud.
However, if they're phishing your identity, so they've sent you an application for a new credit card or something special that you need to put in that may have your tax identification number or some social identification numbers to allow them to go in and apply for new credit under your name, you may not know until you're denied credit or someone starts sending you bills for something you didn't buy.
HOLMES: While some people have probably not heard about phishing, many have. I'm curious whether many people get caught for doing this.
AFTAB: So many get caught doing it. The first time I received it, it was in the guise of PayPal, and someone asked me to sign in to our charitable account because there was a problem.
If I had had our code name, I would have done it. Instead, I sent it to the head of our security and our fundraising group, saying put it in, and luckily the head of security said Parry, you were caught.
They also masquerade as sites where you can buy software at much reduced prices or even download pirated motion pictures before they hit movie theatres, asking for your credit card. Then that site doesn't charge you, but they sell your credit card information to another that will.
HOLMES: How hard is it to catch these people?
AFTAB: Well, it's hard because most people don't know how to give up the evidence we need to be able to track where it's coming from, and the sites are quite good. They may counterfeit a seal for BBB online or trustee. They have all of the links in place that look right. And every once in awhile, unfortunately, a legitimate company sends out an e-mail that looks like a phish but isn't.
So you're never really sure. The answer is, if you get anything that comes to you from your bank, from a company you want to buy from, from anybody, and asks you to sign in to a link, get out of there and log into the site the old fashioned way, through your browser, and don't ever give any information to anyone you get on e-mail, even if it looks legitimate, even if you have an account with them, even if you're absolutely sure they're trustworthy, because in all likelihood they're not.
HOLMES: I was looking around your Web site today. You cover a lot of other issues as well. If we can touch on some broader issues of privacy on the Internet in a general way, there is so much information out there that pretty much there are people who say that they can find out anything about anybody. Are we safe to do anything on the Internet?
AFTAB: Well, you're safe doing things on the Internet if you're careful. So what you need to do is not give out personal information. Don't give out your name, address, telephone number. When you're applying to register at a Web site, use a special e-mail address that you've created with hotmail or Yahoo! or one of the other free Internet accounts just for signing into sites. That will get all of the spam and all of the junk mail and hopefully all of the phishing. You'll check it when you need to because you registered, but people won't be able to find you otherwise.
Google yourself. Check your name, address, telephone number, your mobile number, and see if anyone has it upline you can find. If they do, ask them to take it down. You can really protect yourself from most of this online.
HOLMES: You know, cyber commerce is so enormous now and I have this debate with my own mother, who will not buy anything on the Internet. I buy just about everything on the Internet. My argument to her is it's no different than giving your credit card up at a restaurant if you're on a reputable site. We don't want to frighten people, do we?
AFTAB: Absolutely we don't. And e-commerce is fabulous, and your mother, you should tell, that she can shop from midnight in her bunny slippers without having to go out in bad weather. So it's a wonderful place.
But we need to be as intelligent as we are when we're in a supermarket or we're in a restaurant, we hand off our credit card. But we don't, say, hand it to somebody at the next table or hand it to a stranger outside the restaurant. We have to use common sense and always don't believe everything we see. We just need to be a little skeptical, make sure that we're protecting ourselves and know where to go when things go wrong.
HOLMES: Two things I want to cover very quickly, if I can. One is adware and spyware. There are a couple of programs out there that will track down these things, just to let people know what that is, because a lot of people, it appears on their computers, they just don't even know it's there.
AFTAB: Well, you know, where they recognize it is when these things popup on the screen, even when they're not online. So you may be surfing something and find ourselves encountering pornography or something else you don't want, ads for Viagra. So that usually comes from adware, spyware, or what we call malware.
There are some good programs out there. Lavasoft makes one called Ad- Aware and it's free as long as you run it every time you need to. Spybot is very good as well. And we have a lot of that information at WiredSafety.org.
We're a charity and you can trust us when we review a product.
HOLMES: I use both of those, actually.
The final thing I want to ask you about is there are some of us out there who get mad when people try to do these things. Can we track them down? What do we do if we want to report this?
AFTAB: Well, you shouldn't track them down. You need to go to professionals.
What you can do is you can come to WiredSafety and our security team will tell you what we need to get from your e-mail communication. You need to save a header and you need to make sure not just forwarding the e-mail, but everything, including the electronic things that go before it, so we can track it.
You can go to the Anti-Phishing Working Group site, which is AntiPhishing.org, or you can come to us at WiredSafety.org, and we'll help you. We actually are going to be using Spider Man and all of his friends on Internet safety awareness on spyware and phishing around the world, including some special custom comics, and we hope to get a lot of those in Europe and in Asia involved as well.
HOLMES: They're both great Web sites. I was looking around them today.
I want to thank you, Parry Aftab, a lawyer specializing in cyber crime. WiredSafety.org is the Web site. Thanks so much.
AFTAB: Thank you very much. I appreciate it.
HOLMES: Good information there.