Think you can spot a phony? Take our phishing quiz and find out. We'll show you two sites side by side. Select the site you think is a fraud. When you're done, we'll point out the subtle tells of phishy Web pages.
SCAMS Can you Smell the Phish? (Page 2 of 4) by Kristin W. Davis
Phishermen
Perpetrators fall into two categories: Think of one group as rod-and-reel hobbyists, and the other as an international fleet of commercial trawlers. The former are far easier for law enforcement to catch.
Alec Scott Papierniak, a 21-year-old student at Minnesota State University, in Mankato, got caught after sending e-mails to thousands of PayPal users, prodding them to "update" account information. His bogus PayPal page captured victims' user names and passwords and e-mailed them to an online account he controlled. Then he hijacked the accounts to make fraudulent purchases or transfer cash to himself. Papierniak is serving an 18-month sentence at the federal prison in Duluth, Minn., and has been ordered to pay $25,000 in restitution.
Francisco Chacin, a 21-year-old from Hialeah, Fla., pleaded guilty last year to phishing for eBay user names and passwords, then setting up fraudulent auctions under those users' identities. The items up for auction didn't exist; Chacin simply collected the winning bidders' money and ran. He's serving 30 months in prison and was ordered to pay more than $33,000 in restitution.
Helen Carr, a 56-year-old woman in Akron, Ohio, lived in her 80-year-old mother's home and told the FBI that she made her living sending pornographic spam from computers located in her basement. Her phishing scheme sent mass e-mails to AOL subscribers, seeking credit-card numbers and other personal information. (Each mailing to thousands of subscribers netted 20 to 50 credit-card numbers.) Carr was caught when one of her e-mails landed in the AOL account of an FBI agent, who was curious enough to track her down. She is currently serving 46 months in Alderson Federal Prison, in West Virginia.
Van T. Dinh, a 20-year-old resident of Phoenixville, Pa., picked a victim's e-mail address from an online stock-charting forum and sent a message inviting him to participate in a "beta test" of a new charting tool. Instead of a program, the investor unwittingly downloaded a key-logging virus that captured his TD Waterhouse log-in name and password. Dinh then wiped out the account's $47,000 balance by buying worthless Cisco options that allowed Dinh to unload a losing position in his own brokerage account. Dinh pleaded guilty and was sentenced to 13 months in prison. He was also ordered to pay restitution and a $3,000 fine.
Don't assume it takes a computer whiz to be a phisher. Most of these small-time identity thieves aren't masterminding their own attacks. In hacker lingo, they're known as "script kiddies," amateurs who download do-it-yourself "phishing kit" software from the Internet and point and click their way to an e-mail fraud. The kits include all the Web code, logos and text needed to build a bogus site, and spamming software to cast a wide net.
"It's the difference between buying a set of lock picks and making your own," says Matthew Parrella, an assistant U.S. attorney in San Jose, Cal., who prosecuted Papierniak and Chacin. Many phishing e-mails look and sound alike because they come from a common source, Parrella says.
MAGAZINE
