Fraudsters continue to trick people into revealing personal information and passwords by sending emails appearing to come from legitimate companies. eBay and PayPal are frequent targets of spoof emails, and fraudsters have also posed as banks, ISPs and retailers. The Anti-Phishing Working Group is an industry coalition working to eliminate the problem of phishing and email spoofing attacks by developing and sharing information about the problem, and promoting the visibility and adoption of industry solutions. One of its most useful features is a database of sample hoax emails, found at http://www.antiphishing.org/phishing_archive.html.

In May, Tumbleweed Communications Corp. and The Anti-Phishing Working Group released a report that showed email fraud and phishing attacks grew by more than 180% in April, with an average of 38 new unique attacks sent out to millions of consumers each day. (A copy of the report in PDF format can be downloaded at http://www.antiphishing.org/APWG_Phishing_Attack_Report-Apr2004.pdf.) The company most-targeted by phishing attacks in April was Citibank with 475 unique attacks. This represented the first time that eBay was not the most targeted company.

Spoof email made to look like its coming from eBay usually conveys a sense of urgency, counting on people to panic and reply right away before they have time to think. Some messages include a line like this: "We will shut down your account if you don't immediately verify your account information, click on the link below." Other messages tell recipients they will get a reward, like the one that urged people to click through so they could get 30% off eBay service fees in recognition of earning a feedback star.

eBay created a security center at http://pages.ebay.com/securitycenter/index.html (PayPal has had one for years). eBay also added an indicator to its Toolbar let users know if they are on a legitimate eBay or PayPal site (http://pages.ebay.com/help/find/toolbar.html). But many users dislike toolbars residing on their computers, tracking their movements.

Recent legislation hopes to deter phishing and identity theft by increasing the penalties for those convicted. According to authors of H.R. 1731, known as the Identity Theft Penalty Enhancement Act, "currently under 18 U.S.C. Sec. 1028 many identity thieves receive short terms of imprisonment or probation; after their release, many of these thieves will go on to use false identities to commit much more serious crimes." More information about the bill can be found online at http://digbig.com/4bkmq.

Jahan Moreh, UCLA educator and chief security architect of Sigaba secure messaging (http://www.sigaba.com/products/secure_email), said the bill addresses one aspect of the phishing problem, but there needs to be a technical aspect as well. Sigaba promotes email that authenticates all parties – senders and receivers. However, authentication always requires someone to vouch for the identity of a party. Moreh said he sees organizations like banks and even eBay acting as trusted ID brokers. Banks can bind your ID with your current email address, and provide identity verification. Moreh believes it is inevitable that companies like eBay will use secure email, which Moreh believes is the only solution to phishing problems.

In the meantime, AuctionBytes' recommendation continues to be, never click on a link in an email to log in to a site. Open a browser window, type in the URL of the site, and log in, making sure to use secure sign-in (look for the "https" in the address line).