In the Spotlight

News & Features
Your Voice
DocumentJoin the conversation with other MPR listeners in the News Forum.

DocumentE-mail this pageDocumentPrint this page
U.S. Bank combats 'phishing'
Minneapolis-based U.S. Bancorp is warning customers not to respond to bogus e-mails that are intended to trick people into giving out sensitive personal information. The e-mails appear to come from the bank and say the recipient's account has been blocked because it may have been compromised by outside parties. This sort of e-mail scam is called 'phishing,' and experts say it's on the rise.

Minneapolis, Minn. — U.S. Bank officials say the bogus e-mails went out to customers and non-customers alike. The message reminds recipients their account must always be under their control or those they designate. But it says other parties may have access or control of information in the account. The message says the recipient will have no further access to the account until they click on a link in the e-mail to verify their identity. The link connected to an official looking website that requested personal information.

Mary Blegen, U.S. Bank's manager of 24-hour banking and U.S. financial sales says banks would never send an e-mail asking for such information.

The amateurs are starting to get weeded out a bit, but the professional criminals are starting to take over.
- Dan Maier, director of marketing of the Anti-Phishing Working Group

"In this one, the first set of data is, 'Please provide us your account number.' 'Gosh, my bank or my Internet provider should know my account number.' So, it's those kinds of things that will tip you off," says Blegen.

U.S. Bank officials say personal bank accounts had not been compromised, nor were U.S. Banks' systems. But it's not clear how many people might have provided personal information as a result of the scam. U.S. Bank says it doesn't disclose such information. Blegen says she doubts many people did divulge personal data.

She says the bank will work with any customers who do give out information to stop accounts, and establish new ones.

Many Internet users are familiar with apparent scam e-mails that raise doubts with their clumsy English. But U.S. Federal Trade Commission attorney Patricia Poss says phishing schemes can be quite deceptive.

"Because the phishing scammers use the logos and the trademark images of companies that people recognize, it's very difficult to see that it's fake. It's a very sophisticated trick, really. So I would say that even the most savvy Internet user can fall for this if they believe it's legitimate," says Poss.

"It's been growing tremendously," says Dan Maier, director of marketing of the Anti-Phishing Working Group. The group was recently formed by a number of banks, Internet service providers and Maier's employer, an Internet security firm called Tumbleweed Communications. The anti-phishing group's website lists more than 20 recent attacks--many are against banks, but the list includes Internet service provider Earthlink, and retailer

"What we're starting to see is the amateurs are starting to get weeded out a bit, but the professional criminals are starting to take over because what we're seeing is the sophistication level of a lot of the phishing attacks are starting to rise considerably," says Maier.

He says the use of the target company's brand information and images may look authentic, and there may be no suspiciously bad grammar. He says some take advantage of a feature in Microsoft's Internet Explorer that allows them to portray a bogus web address as one that appears to be from the target company. And he says more are using websites based abroad.

"It tends to be pretty easy because of U.S. laws for Citigroup or US Bank to talk to that ISP and get them to shut down that website. It is a much more difficult process to get a website shut down in a country like Korea or Russia," says Maier.

The link in the U.S. Bank e-mail is no longer active.

Maier says the one of the anti-phishing group's goals is to research how much damage attacks cause, but he says there is some anecdotal information.

"One ISP I was talking to said that they estimate that on average, people who respond to these attacks and give out personal information, they lost on average about $300 per person. Not quite clear how many people fall for each attack, although we've seen response rates of up to 5 percent per phishing attack," Maier says.

He and others say people who receive such e-mails should not click on the links they provide, but should call the institution it appears to be from or go to the company's website without using the link provided.

Respond to this story
News Headlines
Related Subjects