anchor link to jump to start of content

The Seattle Times Company NWclassifieds NWsource Business and Technology Home delivery Contact us Search archives
Your account  Today's news index  Weather  Traffic  Movies  Restaurants  Today's events

Monday, December 06, 2004 - Page updated at 12:00 A.M.
STOCK QUOTES      More market data...

E-conomy / Paul Andrews
Don't take bait if e-mail smells phishy

E-mail E-mail this article
Print Print this article
Print Search archive
Most read articles Most read articles
Most e-mailed articles Most e-mailed articles
With the holiday season fully under way, chances are you're doing more shopping online than ever before.

Chances are you're receiving more of a particular type of dangerous spam as well.

I'm talking about "phishing." Phishing is hacker slang, complete with hacker spelling, for bogus e-mails that mimic banks, credit-card providers and legitimate businesses in an attempt to get you to reveal logons, passwords and financial data. Online criminals, in other words, hope to hook unsuspecting users with fraudulent e-mail and Web site prompts.

Here's how it works. You get an e-mail from a bank or vendor you normally would trust. The e-mail asks for an account update, verifying a transaction or otherwise prodding you for a response by clicking on a Web link. The link sends you to a dummy Web site configured to look and feel like the real thing. When you fill in your logon and password, the phisher records it and has an open door to your actual account.

Phishing has been around for quite a while. In a May report, Gartner estimated that 1.8 million consumers had been victimized by identity theft through phishing attacks. But this past October alone witnessed a one-month doubling in phishy Web sites, so the victim count undoubtedly is much higher by now.

Trust me — you don't want to suffer through an identity theft. A successful phish costs the victim an average of $1,200 and a whole lot of anguish. Moreover, if the account is not insured against phishing, the consumer may never recover lost funds.

Here's the worst part about phishing: The crooks are getting better at it. Early phishes were easy to ignore because they contained erratic formatting, suspicious-looking links and often faulty grammar. They didn't even look like something a bank would send you.

But phishers have gotten very good about mimicking legitimate operations through brand logos, official language and authentic-looking links.

Recently I received a phish supposedly from Washington Mutual Bank, notifying me that unauthorized individuals had attempted to access my account. It wasn't as obvious a phish as most. After all, it sounded as though it was trying to stop an actual phish on my account.

I printed out the e-mail and took it to my local branch. I was gratified at the response. The personnel there called up my account, had me verify transactions going back two months, and gave me a name and number to call if I received any further phishes. They treated it pretty seriously, in other words.

To help fight phishing, vendors typically send confirmational e-mails of transactions. But phishers send similar messages, and the holiday crush may make it hard to distinguish the two. If you just put in an order and a then get a phish, how do you know it's bogus?
The general rule of thumb: Never respond by e-mail or by clicking on a link. Legitimate businesses almost never ask for a response by e-mail. The exception might be if you did not place an order. The business would then want to know, but wouldn't ask for personal information.

The FTC has set up some procedures to help fight phishing. It asks that suspicious e-mail be forwarded to If you feel you've been defrauded, you can file a complaint at

One thing that can aid investigators is to print out or forward a phish with header information (tracking the mail from source to you by Internet servers). The header information is usually hidden by default but can be revealed by your e-mail program if so directed.

If you just can't tell whether you're being phished or not, the FTC advises you to contact your vendor by a telephone number you know to be legitimate from a bill or other account document. Using a telephone in the Internet era can, as we all know, be a frustrating experience. But it could save you and your vendor a lot of trouble.

Paul Andrews is a freelance technology writer and co-author of "Gates." He can be reached at

Copyright © 2004 The Seattle Times Company

E-mail E-mail this article
Print Print this article
Print Search archive

More business & technology headlines...


Today Archive

Advanced search


advertising home
Home delivery | Contact us | Search archive | Site map | Low-graphic
NWclassifieds | NWsource | Advertising info | The Seattle Times Company


Back to topBack to top