WASHINGTON - Sitting at his home in Virginia Beach, Joe Yuhasz almost reached for his wallet when an e-mail message popped into his inbox and told him America Online needed to verify his credit card information.
The site linked to the e-mail looked identical to AOL's billing center, until Yuhasz noticed that the domain name was a fake - a scam commonly known as "phishing." Most people recognizing a possible fraud would have deleted the message and moved on. But Yuhasz, a cybercrime specialist for the FBI, had other plans.
The ensuing investigation led to the conviction of two people, the last of whom was sentenced three weeks ago to four years in prison, and netted hundreds of stolen credit card numbers from across the country.
A growing problem
This type of scheme, which tricks people through fake Web sites and sob stories into giving up their credit card and bank numbers, is threatening to swamp the bureau's Internet crime center with the volume of attacks.
And while the scams were once the product of a few small-time hackers or anti-establishment loners in the United States, FBI officials and computer experts are seeing growing signs that the culprits are members of organized crime and terrorist support groups, almost all of whom are working from abroad.
"It has been significantly increasing month after month," says Dan Larkin, chief of the FBI's Internet Crime Complaint Center. "United States citizens and businesses are very attractive targets for the world. We're getting clobbered."
The e-mail, which asks people to "update" their personal information - Social Security numbers, dates of birth, passwords and the like - or tells a well-concocted tale meant to trick people into divulging their credit card and bank account numbers, comprises more than half of the 15,000 monthly citizen complaints filed to the FBI's Internet crime center.
The fraud schemes have become the single most prevalent crime on the Internet, experts say, and they have become markedly more sophisticated over the past few months.
FBI officials suspect the scammers' growing skill is a sign not of a learning curve but of the introduction of more savvy and experienced criminals into the fraud schemes. Officials believe crime syndicates - especially in Russia and the former Soviet bloc - have begun to realize how much money they can make with little or no overhead.
They say terrorist sympathizers, possibly operating out of Africa and the Middle East, have also begun using phishing schemes to steal identities and make fast cash after being shut out by counterterrorism measures from their traditional avenues of funding, such as bogus charities.
"There is so much money being made off these schemes," Larkin says. "There's a lot more thought going into them and to keeping law enforcement at arm's length."
In December, Tumbleweed Communications, a 5-month-old anti-phishing consortium in Redwood, Calif., clocked more than 60 million phishing schemes sent out via e-mail - the highest monthly total.
The problem, though, is not just that there are more messages coming, but that more people are falling for them.
Dan Maier, senior program marketer for Tumbleweed, says that a year ago, phishers could be easily spotted by their poor English and bad logo designs.
One well-known example was an e-mail purportedly from Citibank written in what Maier's team calls "Russian English." Now, phishers seem to have mastered the proper grammar and lingo, usually stolen from actual company messages, as well as detailed graphics that, for example, warn customers of a "fraud alert: please confirm your account."
While only .01 percent of all computer users respond to regular spam, up to 5 percent of phishing recipients message back.
"They're playing on the trust people already have in their banks, their [Internet service providers], eBay," Maier says. "They hijack the brand because people trust the brand. They trust e-mails they get from their bank."
Until recently, there has been little that law enforcement could do to catch phishers abroad. Most host countries have had little interest in devoting resources to stopping the elusive practice, which moves quickly from Internet cafe to Internet cafe and country to country.
One criminal can send a million e-mail messages within minutes with a single list - and many of the e-mails now contain electronic "trap doors" that allow phishers access to company or personal e-mail lists containing hundreds of thousands more names.
"They believe the United States law enforcement is too far away and that their transactions are too well concealed for them to actually be caught," Larkin says.
FBI officials have recently made headway in Ghana and Nigeria, where a team of investigators touring last summer stumbled upon dozens of open-air markets selling long lines of stolen goods, high-end electronics and luxury items from the United States, bought with stolen credit card numbers.
"Nigeria and Ghana, these countries want United States business to come to their country," Larkin says. "And we're kind of bartering with them, saying, 'We can help that happen if you guys can step up to the plate and develop some credible law enforcement response to these activities.'
"They're now turning cases around, where really a year ago we could get next to nothing done," Larkin says. "The capabilities in those two countries have gone up dramatically."
As soon as Nigerian and Ghanaian officials began cracking down, bureau agents at the FBI fraud center watched as the phishing e-mails began flowing out of Spain, the Netherlands, Ukraine and Latvia - the latest hot spots.
The FBI's Internet crime center, located in an unmarked building in Fairmont, W.Va., that used to be a bank, has become one of the world's largest repositories of fraudulent spam. The 60 agents and staff members have joined with hundreds of businesses to share information about phishing schemes.
Until recently companies were holding back a lot of pertinent information - or not reporting attacks at all - for fear that consumers would lose faith in their brand names if they were exposed as compromised. Companies are now reporting 100,000 incidents a month.
FBI officials have had to upgrade their databases to try to keep up with the influx. Unlike most people, who hate getting spam, Larkin and his team at the center relish it. Most spam, Larkin says, is fraudulent. Last week, millions of computer users received a phishing e-mail that warned, "Your card has been billed for $149.95," for pornography, telling people to send their account information to "cancel" the subscription.
Real companies will never ask for account and credit card information over e-mail, FBI officials say, and all e-mail messages that do ask for such information should be reported to the FBI at www.ic3.gov.
As more people get online, though, experts expect people new to the Internet to be targeted. Scammers, once content to use the phone to target elderly people - the fastest-growing group of Internet users - have found phishing far easier and less time consuming.
Phishers Helen Carr of Akron, Ohio, and George Patterson of Jeannette, Pa., missed their mark when they sent Special Agent Yuhasz their electronic bait from "AOL."
Carr was sentenced to four years in prison Jan. 20, and Patterson received a three-year term last summer.
"Yeah," Yuhasz says. "It wasn't very lucky for them."