Wired On Friday: When Bonnie Bobbit read the email from Paypal saying that there was a problem with her account, she thought nothing of it. It made sense. She hadn't used her Paypal account in a while and perhaps a credit card had expired. She clicked on the link and re-entered her data.
In the next few days, someone used those details to log onto her Paypal account and purchase more than $1,000 of gaming products from an online merchant.
After the first, suspiciously large purchase, the merchant contacted Ms Bobbit to ask if her purchases were legitimate.
That phonecall began a two-month battle by Ms Bobbit to retrieve her money and secure her bank accounts. In the end, she was lucky. Although she had been obliged to open new bank accounts and have her credit cards reissued, she lost no money.
Ms Bobbit had been "phished". Hackers used to call it "social engineering": conning people into revealing sensitive information by masquerading as someone with a legitimate need for the data. Old-style social engineering was, in many ways, the least technical, most "human" of hacker tricks: it used the age-old tricks of the con man more than the tricks of keyboard and mouse. Passwords were lifted with a convincing telephone call, or many weeks of carefully building up a trusting relationship with the victim.
With the rise of Web-based financial services and the ready availability of mass emailing software, social engineering has become high-tech and long-distance. Social engineering criminals "phish" for victims: sending out hundreds of thousands of official-seeming emails, purportedly from banks, online credit cards and services such as eBay and Paypal.
"Your account has been suspended: please click here to logon and re-activate it", they will say. The link looks like it goes to the bank's website.
In fact, it goes to the criminals' machines, dressed up to look like the banking service.
Most people don't fall for the ruse but some, out of millions, do, and that's enough. Phishing is the power of social engineering combined with the economics of spamming.
It's hard to know exactly how much fraud and identity theft come out of phishing, but it's clearly on the rise. The Anti-Phishing Working Group (APWG), an industry body whose members include Visa, Microsoft and Verisign, estimated that attacks were increasing by up to 50 per cent every month over a six-month period. It's a safe bet that a large slice of the global $220 billion identity fraud pie will being coming from phished accounts.
Banks and other institutions that often serve as the subjects of these attacks are scrambling to educate their user base as a first line of defence.
September, for instance, saw a major phishing attack aimed at AIB customers. AIB responded as best they could, with ainformative notice on its website about how to spot and avoid fraudulent mails. But, of course, phished victims might not see that message.
The APWG estimates that phishers gather a 5 per cent response rate - a far better response rate than spam has ever had.
Affected corporations are trying to tackle the problem through technical solutions. Earthlink, a major US internet service provider, recently released a toolbar that users can add to their browser which prevents them from going to sites that have been identified by Earthlink as fraudulent.
This is similar to a common early tactic for dealing with spam, and as such suffers from the same limitations. Blacklists work but have problems keeping up to date with the latest machines. And how do legitimate sites escape the blacklist if they don't belong there or have fixed an earlier problem?
Phishers are embarking on a technological arms race of their own. Phishing is still about conning the victim but phishers have commandeered even more technological tricks to help them achieve that aim.
They pepper their emails with malicious code to con the user's computer. Some quietly rewrite the bookmarks or Internet Explorer favourites for popular financial sites, so that clicking on the link you saved to your bank's site will lead you astray. Others create websites which seize control of the address bar of any browser, making it possible to redirect you even if you type the address directly into your browser.
Perhaps the most promising solution is to provide an "out of band" authentication system. Online banks could ask you to confirm your identity by sending a text message from your mobile phone. Then phishers would have to get your account details, and your phone.
Cumbersome? Perhaps. A perfect solution: hardly. As the war against spam has shown, no solution is perfect, and all of them introduce a little more friction into the supposedly frictionless world of online business.
Already many companies are finding it hard to communicate with their customers by email, even for serious matters. Even without us falling for its tricks, phishing has made victims of us all.
