Some customers of the popular PayPal online payment service were swindled recently after identity thieves used spam and phony Web sites to swipe their personal billing data and credit card numbers.
The PayPal scams and others like it point to the growing problem of identity theft on the Internet. The U.S. Federal Trade Commission reports that identity theft has been the top complaint registered in its Consumer Sentinel database for the past three years. And in July, Gartner said that in a survey of approximately 2,400 households, 3.4 percent of U.S. consumers had been victims of identity theft. Translation: more than 7 million consumers were victims of identity theft from June 2002 to June 2003.
The increased identity theft activity prompted the FTC, Federal Bureau of Investigation, the National Consumers League and ISP EarthLink Inc. to publicly warn Internet users about the dangers of online identity theft scams. In particular, the groups pointed to the growing numbers of so-called “phisher” Web sites, which are designed to look exactly like legitimate Web addresses, such as Amazon.com, BestBuy.com and PayPal.com.
Customers of those sites are often lured by spam purporting to come from a customer support rep at the company. The e-mail messages provide Web links to the phisher sites and ask customers to update their account information, often threatening to cut off their accounts if they don’t. When victims enter their information into forms provided on the phony sites, that information is sent to servers owned by the thieves, which are often located outside the United States.
Since the beginning of 2003, a number of high-profile companies have had their good names sullied by phisher e-mail scams, including Citibank NA and Best Buy.
CSOs can take steps to educate employees about such dangers.
Security tips to pass on to employees:
• Exercise extreme caution when responding to unsolicited e-mail messages that ask you for personal, financial or identifying information, such as a social insurance number, account password or credit card number.
• Navigate to a company’s Web site yourself if you need to update account information, rather than following links to a site from an e-mail message or another Web site.
• Beware of sites that have long or odd-sounding domain names. Phisher sites often use legitimate-looking Internet addresses. For example: www.paypal-billingnetwork.net was the address of a recent phisher site targeting PayPal ( www.paypal.com) customers.
• Report suspicious e-mail messages to your ISP, and contact the company in question if you have concerns about an e-mail message that you received.
• Contact your local police if you feel you’ve been victimized.