The sentencing this week of a Texas man was a notable victory for the US government in its fight against "phishing". However, a recent surge in such scams highlights the need for more than customer education, with some computer security experts calling for major changes in the way sensitive information is exchanged online.

Zachary Keith Hill, 20, was sentenced on Tuesday to 46 months in prison after pleading guilty to defrauding AOL and PayPal customers with a sophisticated online phishing con. Hill admitted he fraudulently obtained credit card and bank account numbers and defrauded consumers of US$50,000 in two phishing scams.

The customers were fooled into providing the information after receiving e-mail messages from Hill containing links to webpages that harvested personal information. The e-mail looked like official correspondence from the companies.

Such scams proliferate because online criminals, including organised crime groups, enjoy relatively high success rates from phishing crimes, which rarely result in arrest, said Avivah Litan, research director at Gartner. "Criminals feel like 'It's a lucrative, low-risk crime. So what's the harm in trying?'," she said. "They're getting a three percent click-through, whereas the success rate with spam is just half-a-percent."

"There's an incredible return on investment," said Susan Larson, VP of global content at Surfcontrol, an e-mail filtering company. "Given the seriousness of the information phishers are gathering, it's very lucrative. These people wouldn't keep doing it if it wasn't."

Gartner estimates that 57 million US Internet users have received fraudulent e-mail linked to phishing scams, and that three percent of them, or 1.7 million people, may have been tricked into divulging personal information. Despite those figures, the successful prosecution of Hill was the first conviction of a phisher by the DoJ's Computer Crime and Intellectual Property section.

One reason for the shortage of phishing prosecutions may be the relative newness of the problem. The Gartner numbers were projected from a study of 5,000 adult Internet users, which found that phishing attacks have become pervasive just in the last 12 months, accounting for 92 percent of the known or suspected attacks reported by study participants, Gartner said.

The Anti-Phishing Working Group (APWG) has also seen a steep increase in reports of phishing attacks in recent months. The industry group received more than 1,100 reports of phishing scams in April, a 178 percent increase from the previous month, said Dan Maier, director of product marketing at Tumbleweed and an APWG spokesman.

Ebay does not give out statistics on phishing scams, but the company has seen a "considerable increase" since the beginning of 2003, and particularly in the last couple months, said Hani Durzy, a company spokesman.

Like other companies with targeted customers, eBay relies in large part on reports from users to identify new scams that use its name, or that of its PayPal division. Once it has identified a scam website, the company works with the ISP hosting the site to take it down. Depending if the scam site is hosted inside or outside the US, it could be taken down almost instantly or stay up indefinitely, he said.

In fact, a whole new business in so-called "bulletproof" Web hosting has sprung up to keep phishers and other online scam artists in business, even after their ruse has been detected, Surfcontrol's Larson said. "These are offshore hosting companies in places like Malaysia, India and Turkey that basically say: 'We'll keep your site up, no matter what'," she said.

A problem getting worse
ISP EarthLink is expecting the number of phishing attacks using its name to double in coming months. Each of those attacks generates thousands of calls and e-mail messages to EarthLink's support staff, said Scott Mecredy, senior product manager at the company.

In recent months, the company has seen phishing scams shift from attacks created by novices - "kids with too much time on their hands" - to sophisticated cons that suggest the backing of professional and organized criminals, he said. The latest generation of phisher scams use several methods to trick users, including pop-up graphics to mask the true Web URL of the phishing site and the installation of spyware and Trojan horse programs on victims' computers, Mecredy said.

Like many other companies grappling with the phishing problem, eBay and EarthLink are emphasising the need for better user education and trying to increase customer awareness of the problem. EBay set up a webpage, to help educate customers about fraud and phishing scams, Durzy said. EarthLink also posted information that helps customers spot phishing scams, Mecredy said.

Countless other companies with links to online commerce, including Visa and digital certificate provider GeoTrust also have published lists of tips and advice for spotting phishing scams. Both companies tell customers to be suspicious of unsolicited e-mail requests for financial information or other personal data and not to click on links within the unsolicited messages.

GeoTrust encourages consumers to look for the "padlock" symbol on Web pages when they enter sensitive information, which indicates that encryption is being used to protect information sent over the Internet. Most phishing sites do not use encryption, according to Neil Creighton, chief executive officer of GeoTrust.

Software solutions
More and more, companies affected by the phishing problem are also offering free software tools to help customers sniff out scams. Ebay introduced a feature in its Web browser toolbar, a small program that runs with a user's Web browser, that flashes red when the user visits a possible spoof site. The toolbar uses a database of spoof site URLs submitted by customers and is updated "fairly quickly", Durzy said. Like eBay, Earthlink in April added a "scam blocker" feature to its Web browser toolbar that can spot and warn users about scam websites, Mecredy said.

The federal government also is taking phishing more seriously and other investigations of phishing scams are ongoing, said Chris Painter, deputy chief for computer crime at the DoJ's Computer Crime section.

Among other steps, the government is considering a large-scale move against phishers, with multiple lawsuits announced simultaneously, DoJ attorney Mendelsohn said. "You may see a general announcement to package (phisher investigations) together. It's definitely one of the kinds of cases the DoJ is targeting," he said. DoJ officials also hope that the comparatively long sentence given to Hill will deter others from setting up phishing scams, he said.

However, even stepped-up enforcement and better user education aren't likely to stop phishing attacks, which take advantage of many of the same structural weaknesses in the Internet as spam e-mail, viruses and worms, experts agree. "The phishing problem has a lot of intersection with other problems we look at, such as malicious code and spam," Mendelsohn said.

Widespread adoption of e-mail authentication technology would put a dent in phishing scams, which rely on faked sender e-mail addresses to mimic legitimate business correspondence and trick recipients, said Maier of the APWG. Microsoft's Caller ID technology and Yahoo's DomainKeys proposal are two attempts to jumpstart the introduction of user authentication across the Internet. "Almost 100 percent of phishing attacks start with spam. If you stop spoofed e-mail, you stop a huge proportion of spam," he said.

Strong encryption of sensitive e-mail messages using PKI would also help, but could ruin the experience of using e-mail, Mecredy said. Beyond that, companies can choose from various secure e-mail or anti-spam providers including Tumbleweed, Sigaba and Postini offers technology to specifically address phishing scams, allowing customers to configure their online accounts so a unique thumbnail image appears on legitimate e-commerce webpages, Litan said.

Coordination is also needed between ISPs, banks and other stakeholders to stop the problem before it undermines confidence in online commerce, Litan and others said. "The phishing problem is one that's really a collective issue - something that the Internet community as a whole should solve," said Litan.