by Manuelita Beck
Daily Lobo columnist
According to my inbox, my LaSalle Bank account has seen suspicious activity - by possible terrorists, drug dealers or money launderers.
I'm supposed to click on an e-mail link to verify my identity, or I won't be able to access my account.
Yeah, right.
One, I don't have an account at LaSalle Bank - if it exists. Two, I've gotten this message several times in one week. Three, I'm familiar enough with e-mail scams to know better than to click a link and enter in confidential information.
Apparently, other people are more trusting.
According to a study by the Gartner research firm, identity thefts from this practice, known as phishing, cost banks and credit card issuers $1.2 billion in 2003.
Two graduate students at Indiana University conducted an experiment last week using phishing.
Searching publicly available information, they mined e-mail addresses of fellow Indiana students and their friends.
The two then sent out e-mails that appeared to be from people's friends, but were not sent from those accounts.
Get content from The Daily Lobo delivered to your inbox
The e-mails, with their "spoofed" return addresses, directed people to a Web link. The Web page, hosted on the university's server, asked students to type in their usernames and passwords.
According to the blog set up by the graduate students who conducted the study, about 70 percent of the recipients clicked on the link.
The percentage of students who provided usernames and passwords wasn't posted. The study's results haven't been completed, according to the blog.
The Indiana students aren't alone. According to a study last year by Gartner, phishing works.
The study said an estimated 57 million people have likely experienced a phishing attack. It also said 19 percent of people clicked on the link in a phishing e-mail.
Scarily, the study said 3 percent entered their personal information.
That's like giving your wallet and your Social Security card to the first person who comes up to you and says he or she is from Visa.
The Indiana study caused an uproar on the university's campus. People are furious they weren't asked to participate in the study and are upset at being conned.
However, the study was approved by IU's Human Subjects Committee, which reviews all experiment proposals involving human subjects. It gave the grad students permission to conduct the study without consent. And given the nature of phishing, getting consent would defeat the purpose of the experiment.
An article in Tuesday's Indiana Student Daily quotes one student saying she felt "used" by the study.
Posters to the study's blog have complained about having their identities "stolen." Some are even talking about lawsuits.
All the complaining overshadows what the study demonstrates - people's inherent trust of e-mail.
Phishing works because people don't question e-mails. They often appear to be from legitimate businesses, such as PayPal or eBay. My e-mails from "La Salle Bank" say they come from an address that ends in "lasallebank.com."
And - news flash - e-mail isn't secure.
It's not hard to make it look like an e-mail came from someone else. You don't even need to hack into someone's account to make it look like that person has sent you an e-mail.
People need to get smarter about their personal information. Phishing has been around for a long time in snail-mail scams and bogus telemarketing.
My favorite phishing con, the Nigerian Scam, originated in snail mail. This swindle asks you to help out a government, bank or family in Nigeria by allowing them to transfer millions of dollars into your bank account. If you help, you'll get to keep a large percentage of the money. According to Snopes.com, an urban legend reference site, the scam used to be sent postmarked from Nigeria and other countries to addresses taken from large mailing lists.
It's a lot easier to scam someone when you don't have to worry about arranging foreign postmarks, especially when you can send thousands of e-mails in seconds.
So much of our financial life can be conducted online that we think nothing of going to a Web site and logging into our bank account.
But we should think about it. The technology that makes things more convenient for us also makes it easier for others to trick us. Why make it simpler for the con artists by making stupid decisions?
