Like a Daredevil lure on Lake Pepin, e-mail messages asking for personal information verification always seem to get a few bites.
“Phishing” is the process by which malicious Internet users seek to dupe people ” via e-mail ” into providing information such as passwords, account information or Social Security numbers by posing as organization representatives.
The scammers use the information to clean out bank accounts or steal identities.
Social engineering is what makes phishing’s bait so effective. People are predisposed to taking an order at face value and wanting to please the boss or organization that generated the request, according to the Anti-Phishing Working Group.
In security circles, social engineering means using bits of information such as an online membership or account to make a person believe the sender of the e-mail is a representative from that company, said Ken Hanna, director of security and assurance for the University’s Office of Information Technology.
Scammers exploit the fact that people want to protect their information and are quick to follow the directions in the e-mail, he said.
“It’s amazing how they use an awful lot of psychology in crafting these things,” Hanna said.
Phishing scams often use a technique called e-mail spoofing to generate a bogus return address that appears to have been sent from a known organization such as eBay, PayPal or an Internet service provider.
“(Recipients will) say, “My gosh, those are the people that maintain my network. That must be something I’ve got to do,’ ” Hanna said.
There is no federal law specific to phishing scams yet, but Sen. Patrick Leahy, D-Vt., introduced the Anti-Phishing Act in February 2005. If signed into law, the act would make phishing a felony punishable by as many as five years in prison and a fine.
The courts often are inclined to apply communication laws already on the books to the Internet, said University law professor Dan Burk.
“Sometimes you can make that fit, but a lot of times there’ll be specific things that don’t exactly seem to fit the way the Internet works, and so eventually the Legislature gets around to update things to better fit the way things work on the Internet.”
The delay in passing the bill often lies in distraction, Burk said. Building support becomes a challenge when the nation faces disasters,
Supreme Court nominations and presidential spying, he said.
“A lot of things sort of sit and don’t get moved,” Burk said.
The bill has been in the hands of the U.S. Senate Committee on the Judiciary since its introduction.
The global reach of the Internet will make a federal law difficult to enforce, Hanna said.
Affinity Plus Federal Credit Union, whose name has been used in recent phishing scams, has worked to educate its members and employees, said Keith Malbrue, chief information officer for the credit union.
“We’ve specifically told members that we’ll never contact them in that manner,” he said. “I would think that most reputable financial institutions wouldn’t ask in that manner either.”
If suspicious activity as described in many of the bogus e-mails actually occurred, the credit union would call the member, Malbrue said.
“If it doesn’t feel right or if it feels weird, it probably isn’t right,” Malbrue said. “Go with your gut, and I would always make a call to whatever financial institution they may be affiliated with and ask.”