Don't let yourself be reeled in by a 'phishing' expedition

THE E-MAIL from the bank looks legit - corporate logo and all. It warns that your account may have been used for fraudulent purposes or hijacked by identity thieves. It provides a Web site link and urges you to sign in with your account number and PIN to verify that all the charges made to your account are valid.

The Web site looks legit, too - but if you enter your account information, it won't go to the bank. Instead, it will go straight to one of the identity thieves that the original e-mail warned about. And you'll wind up with nothing but grief.


It's called "phishing," a new wrinkle on an old scheme that's making the rounds through e-mails, viruses and phony Web sites. For months, an increasing number of phishers have been targeting customers of online services, banks, credit card companies and retailers around the world.

They include clients of America Online, EarthLink, AT&T; Worldnet, Yahoo, CitiBank, FirstBank, BankOne, Lloyds Bank, eBay, PayPal, Visa and


Typically, a phishing expedition starts with an e-mail that warns of some problem with an account, or promotes a special offer, and directs you to a Web page that's a dead ringer for the site of the company or bank you do business with - right down to the graphics and log-on forms.

Sometimes it is the real company Web page - topped by a pop-up form that asks you to enter your account name, password, credit card number, Social Security number or other information.

However real it looks, the information you enter goes straight to the scammer, who can then steal your identity, hijack your ISP account for spamming, drain your bank account or make purchases on your credit card. By the time you find out, the phony Web page will likely be gone.

Millions of phishing messages bombarded the Internet over the holiday shopping season, and some security experts estimate that as many as 5 percent of recipients take the bait (which is why it's known as phishing - hackers like to substitute "ph" for "f").

The problem is so serious that a consortium of banks, credit card companies and online retailers has established an anti-phishing Web site, www.anti You'll find lots of information there, including an archive of the e-mail subject lines that phishers are using and a form to use to report phishing attempts.

Although the first phishing attacks were straight e-mail messages with Web links to phony sites, there's an even newer wrinkle. Hackers, most likely in Russia, have developed two Trojan horse programs known as MiMail and MmdLoad that arrive as e-mail attachments.

If you double-click on the attachment, it unleashes a program that not only takes you to a phony sign-on screen but also uses your e-mail client to send a copy of the booby-trapped message to everyone on your contact list.

Making these schemes even more effective is the disclosure of yet another security flaw in Microsoft's Internet Explorer, which allows a malicious Web site operator to "spoof" his location. There's no patch for it.


Normally, the address of the site you're visiting appears in the address bar at the top of your browser window. But an exploit uncovered in December can put a fake URL in the address bar. So it looks as though you're logging on to Favorite, when you're really seeing a fake site run by

How can you protect yourself against phishing? By playing it smart. No legitimate company will ask you for personal account or Social Security information in an e-mail, even if the mail is formatted to look like a Web page. If you have any questions or doubts, call the company on the phone.

Second, never open any attachment in an e-mail that you're not expecting, even if it seems to come from someone you know. Chances are good that it's a worm or a virus, even if it's not a phishing expedition. Many corporate systems filter these executable files out so they can't do harm, but many home users are still vulnerable.

Also, beware of faked Web links, whether they're contained in e-mail that's formatted like a Web page, or located on Web pages themselves.

First, let's see how easy these are to create. In the address bar of Internet Explorer, type this: It looks like it should take you to, but when you click on "Go" or hit Enter, you'll wind up on SunSpot, the Baltimore Sun's Web site. That's because IE ignores everything before the "@" sign - one of the flaws that phishers like to exploit.

Using other combinations of odd characters, such as "%00" or "%01," before the ampersand in the code underlying a Web page can fake out even careful users who roll their cursor over a link and look on the status bar at the bottom of the screen for the true address of the link.


If you haven't tried this, surf to your favorite Web site and make sure the status bar at the bottom of your Web browser is visible. If it isn't, click on View menu and select status bar. Now move your cursor over any link. The address will appear on the status bar. This also works in Outlook Express with mail that's formatted as a Web page.

Unfortunately, a good hacker can fool the display in the address and status bars, sending you to a phony Web site. You'll find a good demonstration at Secunia, a Danish security site (

According to Microsoft, one way to check on the legitimacy of a link on a Web page is to right-click on the link and choose "Copy Shortcut" from the menu that pops up. Now run Notepad and choose Edit/Paste to display the link as text. If it's different from the address that popped up in the status bar, you're being spoofed. You'll find other, equally clunky workarounds in a Microsft alert at Microsoft should fix this flaw in a hurry.

If you're suspicious about the true identity of any page once you get there, right-click on any open space on the page (not a link, graphic or text) and choose Properties from the pop-up menu. You'll see a box with the real address displayed.

You could also switch to another Web browser, such as Netscape, Mozilla or Opera, which isn't vulnerable this way. But it's best to be careful in the first place. If you think someone's phishing, don't take the bait.