Home > Services for the Consumer > Consumer Alerts - Press Releases, Notices and Product Recalls > In the News

Cardholders prey in game of Go Phish

From the June 25, 2005 edition, The Atlanta Journal - Constitution, News section, page A 1

By Peralte C. Paul

Hours after MasterCard announced June 17 that 40 million credit card accounts might have been exposed to fraud, con artists were on the Internet asking credit card holders to enter account numbers and passwords to "verify" their information.

The e-mails began appearing a day after MasterCard International disclosed a security failure at Atlanta-based CardSystems Solutions Inc. that made millions of credit cards vulnerable to fraud, including 13.9 million MasterCards.

Scam artists instructed cardholders to link to a fake Web site designed to look like an Internet address for MasterCard. They were asked to enter their user ID and password and answer identifying questions, such as mother's maiden name.

The bogus e-mail warned cardholders that if they didn't provide the information within five days, they couldn't access their credit card account.

This particular scam, which claimed to originate from Master Bank of Moscow, didn't last too long, after security experts and Internet scam watchers began alerting one another.

But security experts predict more of these attacks, called "phishing," as Web con artists seize on consumer fears about the breach at CardSystems.

"We expected this," said Vincent Schiavo, avice president at Secure Computing Corp. of Seattle, among the first companies to call attention to the phishing expedition.

The company, which develops Internet security software and hardware, said some of its own staff received the bogus e-mail last weekend. They began to notify clients and post warnings on public Internet message boards this week.

Consumers lost $929 million last year to phishing scams, estimates Gartner Inc., a technology research firm based in Stamford, Conn.

And the number of consumers who receive phishing e-mails is increasing at a dramatic clip: up 28 percent last year, Gartner said.

The Federal Trade Commission says consumers forward 300,000 scam e-mails a day to the anti-spam/phishing link on the regulatory agency's Web site.

The volume underscores the need for consumers --- increasingly comfortable with doing banking and other business via the Web --- to be more vigilant with their personal and financial information, experts say.

That means never responding to e-mails asking for personal information such as Social Security numbers, bank or credit card numbers or passwords, Schiavo said. And if you get an e-mail you think might be suspicious, call your bank or credit card company.

The Master Bank scam appears to be the first phishing directly linked to the CardSystems breach.

MasterCard declined comment on the attack. But the company said it continually watched for these scams and had seen no significant increase in phishing activity.

Officials from Visa USA and American Express Co. said they monitored for phishing attacks but reported no incidents related to the CardSystems breach.

A spokeswoman at Discover Financial Services said the company had no immediate comment.

CardSystems, citing two ongoing federal investigations of its security failure, declined comment. The payment processor discovered the security problem May 22.

The company has said that at least 68,000 card account numbers -- - and the information that goes with them, such as names and expiration dates --- were stolen by someone who managed to gain access to its network.

The FBI has launched an investigation. And the Federal Financial Institutions Examination Council, a group of five federal banking regulators, is engaged in a separate investigation of CardSystems.

A woman who answered the Master Bank customer service telephone number listed on its Web site said an official bank representative wasn't available for immediate comment on the phishing incident.

"Whoever is doing the phishing attack, they're pretty clever in that they're appearing to be capitalizing on the fears and the concerns that consumers may have," Schiavo said.

He said he expected more con artists would try to trick consumers because of all the attention the CardSystems breach has received.

And although Internet service providers and Web search engines can take down the bogus sites after they're found to be scams, it's often difficult to trace them back to whoever posted them.

"The criminals that are mounting these attacks use other people's networks or home PCs to make it appear as if they're sending them," Schiavo said.

DON'T GET TAKEN Phishing scams --- where a con artist sends an e-mail purporting to be from your bank or credit card company --- are on the rise. To protect yourself, remember:

• Financial institutions and credit card issuers never send an e-mail asking your personal information.
• Never respond to e-mails asking for passwords, account information, Social Security numbers and other personal information. Don't click on any links embedded in those e-mails, either, because they may download spyware onto your computer, allowing hackers to monitor your keystrokes.
• Keep anti-virus software and computer firewalls up to date.
• Review your monthly financial statements carefully.
• Change passwords regularly and don't share them.
• Forward suspicious e-mails to your bank or credit card company. For example, if you get an e-mail that claims to be from SunTrust Banks about a problem with your account, forward it to: reportfraud@suntrust.com.  Other sites to check include: abuse@wachovia.com for Wachovia customers abuse@bankofamerica for Bank of America customers You also can report online fraud to the Federal Trade Commission at www.consumer.gov/idtheft.

Sources: MasterCard, Visa, Federal Trade Commission, staff research

Print this