Phishing the next big problem?

Phishing attacks use SPAM which appears to originate from a legitimate source such as a bank or ecommerce site. The SPAM message alerts the recipient to a "problem" with their account, and links to a URL that lets them login to fix the problem. The URL is really on a Web server controlled by the phisher, who learns the victim's password and other personal information. The result might be identity theft or even direct theft of funds from the victim's account.

I don't see any easy way to defend against this attack (esp. in red states ;-), since the email and Web site can look very authentic. I have seen some very high quality EBay and Citibank phishing attacks - certainly good enough to fool most of the population.

Companies (especially banks) have been pushing consumers to use the Web to manage their accounts, as there is a tremendous cost savings. It appears that Web transactions and phishing are about to collide head on.


John Thompson, Symantec CEO, in WSJ:

The more threatening and challenging task, however, is phishing. And I don't mean fly-casting. I mean phishing for credit-card information, Social Security numbers, mothers' maiden names. Popular Web sites or popular brands are hijacked to divert unsuspecting consumers and even small businesses off to a spot where their identities can be stolen. Phishing is growing, by the latest estimates, at 110% a month -- a month.

You couple that growth rate with a 5% response rate [to e-mail sent by phishers], and you're going to see an enormous problem. It's relatively easy to do. I mean, you can cut and paste the Citigroup logo off their Web site without a whole lot of hard work. They're hijacking very, very important and powerful brands to catch your attention.