It slips into your e-mail box and plants a seed of doubt. Maybe, just maybe, the message is real:
"Dear valued customer, you have been chosen by the Citizen's bank online department to take part in our quick and easy five question survey. In return we will instantly credit $5 to your account."
Called spoofs, the e-mails look real, with bona fide company logos and borrowed corporate phrasing. Yet they send you to fake Web sites "phishing" for everything from your user names and passwords to your credit card numbers.
It's the latest evolution in cybercrime, which was once nothing more than pesky junk mail peddling cut-rate Viagra and knockoff Rolex watches.
Web surfers have become better about deleting spoofs that threaten to close accounts if they don't immediately respond. But fraudsters are getting smarter, too.
Almost as soon as one spoof fails, a new generation pops up with ever more tricky appeals and sinister scams, some that can even sneak into computer systems when they're turned off.
"It used to be Internet 'crime' was about looking cool and proving how elite of a hacker you were," said Greg Hughes, chief security executive with Corillian, an online banking and fraud company based in Hillsboro. "Crime on the Internet has evolved from a reputation thing to criminal enterprise."
The early days of the Web, dominated by pay-per-minute Internet service providers, spawned phishing.
Some fraudsters who didn't want to pay figured out how to send e-mails to America Online customers that looked as if they were from the company's billing department, said Jacob Ratkiewicz, a computer security researcher at Indiana University. To keep AOL accounts active, the fake e-mails warned, users had to respond with user names and passwords.
Easy as that, the cyberthieves picked up all the information they needed to log on for free -- in many cases, without the original user ever finding out. Of course, free Web surfing was only the beginning.
More nefarious Internet crooks soon saw the potential money to be made by getting access to credit card numbers, Social Security numbers and banking data. Fake e-mails began slipping through spam filters with familiar-sounding -- but fake -- return addresses such as support@amazon.com and 5thvtc@alert.bankofamerica.com.
The numbers keep rising. In May, the AntiPhishing Work Group, a collection of law enforcement agencies, retailers, Internet service providers and financial organizations, recorded the highest number yet -- 20,109 -- of unique, documented spoofs, and its highest count -- 137 -- of companies whose identities had been misappropriated for use in fake messages.
Internet service providers Yahoo and MSN have been targeted, along with retail-oriented Web sites, including PayPal and Best Buy. But 92 percent of spoofs mimic large banks, such as Bank of America and Washington Mutual.
Over the past year, crooks took aim at smaller banks and credit unions -- phishers e-mailed members of Oregon's largest credit union, OnPoint Community Credit Union, in February.
By year's end, federal rules call for banks to create more spoof-proof security. Companies have also begun educating customers, including eBay and PayPal, which, spokeswoman Amanda Pires says, has helped users avoid being phished.
But Ratkiewicz, from Indiana University, recently created a spoof e-mail he sent to 200 of eBay's sellers asking for their user names and passwords. The experiment, which had a margin of error of plus or minus 3 percent, found 11 percent of the sellers fell for the spoof and provided log-on information.
Meet the phishers
Investigators say computer-savvy U.S. teens and twentysomethings hunkered in basements and hankering to cause trouble are behind some frauds.
But a large and growing share are well-organized schemes executed by Eastern European and Russian crime rings, along with a recent emergence of spoofs from North Korea.
"My first phishing case was in October 2001, and since then I've been to Eastern Europe so many times I can't even keep track anymore," said Greg Crabb, a postal inspector for the U.S. Postal Service.
The criminals often work with other bad guys stationed at computers around the world. One may buy lists of valid e-mails. One creates the spoof. One works up the Web page. And one cashes out with any collected data.
The Russian mafia sells a $1,000 kit for malicious Web site owners that searches surfers' computers for any data from big banks -- for more money, it searches for dozens of smaller banks, Ratkiewicz said. Programs installed by the bad guys then spy as users check online accounts.
Postal inspector Crabb said the old-school axiom of follow-the-money still applies to high-tech crime, yet investigators must work closely with foreign countries with varying degrees of Internet fraud laws and different levels of evidence-gathering required.
In the U.S., phishers can face stiff sentences: 30 years imprisonment under the wire fraud and bank fraud statutes and 15 years imprisonment for identity theft and credit-card fraud, according to the U.S. Department of Justice.
Along with the U.S. Postal Service, Pires said, eBay's investigators often team with the FBI, U.S. Customs and, for international investigations, Interpol. Teaming up, she said, has led to hundreds of arrests, and her company can now shut down phishing sites in about four hours -- longer when it's international.
In one case, her company's investigators flew to Romania and, working with law enforcement, tracked down some phishers at a sidewalk cafe where they were doing their dirty work.
Pharmers
The newest scams continue to be known by cutesy names, such as spear phishing and pharming, yet they feature ever more frightening machinations.
In the case of spear phishing, some fraudsters are directly targeting individuals rather than sending out mass e-mails.
One trick is to figure out what someone recently purchased, based on the feedback left on some retailing Web site. Then fraudsters send a personalized e-mail offering supposed deals on similar products. Con artists can even find data such as first names, mother's maiden names and all of your friends' names listed on sites such as MySpace.com to personalize pitches.
Links attached to spoof e-mails increasingly send folks to Web sites that secretly download programs that track the keys users type or what pages they view.
In one newer spoof, recipients are told they earned eBay's coveted "PowerSeller" status and can confirm that by just clicking here. Another, mimicking Microsoft, offered a chance to test some cool new software with a click there. But instead of new program, folks get a file that turns off their anti-virus software.
The strangest scam of the future ditches e-mail entirely. Called pharming, fraudsters trick a computer into calling up a fake site, even after a user has typed in the correct Web address. While users work unknowingly on the wrong page, con-artists can track keystrokes or peek into their hard drives.
Security experts say pharmers are close to finding ways to install this software wirelessly through home routers. That means spying programs could hide in your router until the computer is turned on and the door opens wide on your hard drive.
"I'm not sure if this will scare people away from the Internet," said Bruce D. Weinberg, associate professor of marketing and e-commerce at Bentley College in Waltham, Mass. "It's like how you hear the statistics that when it's broken down per-mile, airplanes are the safest form of travel.
"But when a failure does happen, you don't typically survive it," he said. "Internet fraud is kind of the same way, when fraud does happen, the damage is severe and that experience definitely turns you off."
Laura Gunderson: 503-221-8378; lauragunderson@news.oregonian.com; www.oregonlive.com/weblogs/windowshop