Identity theft victimizes millions of people each year and costs businesses billions of dollars. Internet-based identity theft is a type of Internet fraud that is increasingly viewed as a significant threat to consumers and businesses. Two inter-related methods of carrying out this Internet fraud are called “phishing” and “spoofing.”
Phishing is a term coined by hackers who generate e-mails that imitate legitimate e-mails from businesses or other organizations to entice people to share personal information, such as passwords, credit-card numbers, account information, etc. Phishing involves the distribution of fraudulent e-mail messages with return addresses, links, and branding that appear to come from banks, insurance agencies, or other legitimate businesses. Victims typically receive an e-mail telling them they must supply some personal information to the sender via return e-mail or using a Web link.
Spoofing, as the term is applied to the Web, refers generally to the practice of setting-up an illegitimate Web site that is designed to appear like a legitimate and reputable Web site. Such illegitimate Web sites typically present on-line forms for entering personal information, which is then stored and used by the operator of the illegitimate Web site for nefarious purposes. The information gathering success of spoofing alone depends on Web surfers randomly, often accidentally, browsing to the spoofing site, thus, effectiveness for the hacker is limited. However, when spoofing is combined with phishing, so that e-mails from the illegitimate Web site operator contain links to the illegitimate Web site, the spoofing gathers much more information for the hacker, since there is a mechanism to direct consumers to the illegitimate Web site in greater numbers. Thus, an e-mail system that guards against phishing can effectively reduce Internet fraud perpetrated by both phishing and spoofing. Spoofing can also be reduced if a Web site uses mechanisms to reliably identify itself to consumers.