The number of phishing websites associated with online identity theft grew by 33 percent in November 2004, according to data compiled by the Anti-Phishing Working Group (APWG). After dropping off in September and early October, the growth in phishing sites returned to levels last seen in August.

The APWG received reports of 1,518 active phishing websites during November, up from 1,142 in October. Reports of such sites have grown by an average rate of 28 percent a month since July, as scam artists broaden their efforts to lure the customers of companies that do business online, says Peter Cassidy, the group’s secretary general.
The APWG is an industry group of representatives from law enforcement and private sector companies. It counts leading ISPs, banks and technology vendors among its members.

Phishing scams use spam to direct internet users to websites that are controlled by thieves, but appear to be legitimate e-commerce sites. Victims are asked to provide sensitive information such as a password, bank account information or a credit card number, often under the guise of updating an account.

Customers of 51 online brands were targeted by such scams in November, compared with only 44 in October, Cassidy says. Just six companies drew more than 80 percent of all phishing attacks.

The APWG no longer publicly identifies the organisations that were the most popular targets of phishing scams, citing resistance from the group's industry members. However, eBay and Citibank have been major targets in the past.

Phishing attacks have emerged as a potent threat in 2004. More than 18 million email messages linked to the attacks have been stopped this year by MessageLabs. Industry groups have responded by calling attention to fresh attacks and shutting down phishing websites.

As in past months, the US was again the most frequent host of fraudulent websites, Cassidy says. In response, leading companies, such as Microsoft, America Online and VeriSign, have teamed up with law enforcement agencies, including the FBI and secret service. Under the banner of Digital PhishNet, the collective aims to improve coordination when identifying and closing US phishing sites.

Phishing attacks may spike during November and December – busy shopping months in the UK and the US – but the increasing number of anti-phishing tools and initiatives should bring the number of attacks down in 2005, according to Neil Creighton, chief executive officer of GeoTrust, a provider of online digital certificates.

Like other companies, including ISP Earthlink and eBay, GeoTrust distributes a free web browser plug-in that warns users when they visit phishing sites. Such utilities, coupled with the efforts of groups such as the APWG and Digital PhishNet, will make life harder for online scam artists, and prompt consumers and merchants to become more aware about online identity verification, Creighton says.