Security breach

The call came in to Will Rauschenberger’s cell phone around 7 a.m. His account at Sarasota Coastal Credit Union had been suspended, and he needed to call a provided number right away.

Immediately wary, Rauschenberger waited until Sarasota Coastal opened, and then phoned to ask about the alert. It was, as he suspected, a scam.

“It was a little alarming to me, but it still didn’t sound right,” he said. “It was odd that I got the call on my cell phone, which is not listed, and that anybody would know I have an account with Sarasota Coastal Credit Union.”

Sarasota Coastal received several dozen calls about the “phishing” scam, an obvious attempt to get customers to reveal personal information that could be used to access their accounts.

The credit union quickly e-mailed warnings to the 10,000 members signed up on its e-alert system, said Tom Randle, the credit union’s chief executive officer. Law enforcement authorities were also notified.

The phone number provided turned out to be from Quebec.

“To the best of my knowledge, we’ve suffered no losses nor have any of our members,” Randle said 10 days later. “It was just one of those random, shotgun, automated dialing approaches. I guess they’ve moved on to the next target.”

Phishing hooking millions

Phishing — the term for Internet scammers who use e-mail to “fish” for passwords and financial data — continues to hook millions of consumers.

“The e-mail phishing scams are always out there, but the new twist is the automated phone calls,” said Melody Shimmell, vice president of risk management/fraud at Century Bank in Sarasota.

“I’ve seen several of those alerts from all over the country,” she said. “This kind of dialing for dollars on automated systems is pretty scary.”

Victims can lose more than just money from their bank accounts or credit cards. Many of the scammers are identity thieves, looking for ways to steal a person’s identity for an even bigger haul — such as opening new accounts and applying for loans.

It can take ID theft victims months, even years, to repair the damage.

An estimated 3.6 million Americans lost $3.2 billion in phishing attacks in 2007, according to the latest report by technology research company Gartner Inc. That was up from 2.3 million victims the year before.

The scammers appear to be getting better.

Among consumers who said they received phishing e-mails last year, 3.3 percent said they lost money from an attack, up from 2.3 percent in 2006 and 2.9 percent in 2005, Gartner said.

“Phishing attacks are becoming more surreptitious and are often designed to drop malware that steals user credentials and sensitive information from consumer desktops,” said Avivah Litan, vice president at Gartner.

“Anti-phishing detection and prevention solutions are available but not utilized widely enough to stop the damage.”

The average loss per incident was $866, down from $1,244 but only because there were more victims. One positive note: 1.6 million victims recovered about 64 percent of their losses last year, up from the 1.5 million who recovered 54 percent the year before.

PayPal, the online payment service, and auction site eBay continue to be the most targeted brands.

But scammers still use banks, charities, foreign businesses and even the Internal Revenue Service to snare victims.

With phone-call hoaxes, the caller may be sitting in Canada but the target’s caller ID shows a different, legitimate name and phone number.

“They are better financed, better trained and more technologically advanced than the good guys, which is what makes this such an uphill battle,” Shimmell said.

In July, the IRS warned taxpayers that identity thieves were using the agency’s name in e-mails and faxes for phony requests involving either tax refunds or the economic stimulus payments.

Nearly 700 taxpayers reported phishing incidents to the IRS in May and June, part of the 1,600 complaints so far this year.

In the tax refund scam, bogus e-mails provide a link for the recipient to file a refund claim form. It asks for personal information that would lead to accessing a credit card.

In the new economic stimulus check scam, taxpayers receive a phony IRS e-mail or fax asking for checking or savings account information to deposit the payment.

‘Shopper’s Sweepstakes’

Scammers recently used Century Bank to bilk money from consumers via a phony contest, Shimmell said.

Consumers received checks, drawn from a Century account, after “winning” a “Shopper’s Sweepstakes” or similar contest. The recipient is told to deposit the check and then return 10 percent via a Money Gram to cover taxes.

The deposited check — it used legitimate account and routing numbers but phony corporate names — eventually bounces, and the depositor is out the money sent back.

The checks ranged from $3,875 to $4,890, she said.

“Not a single check paid, or it could have been a horrendous nightmare,” Shimmell said.

“We had to close the account, and the customer had to change it.”

A recent report suggests that some banks may unwittingly expose their online customers

to revealing passwords and other sensitive account information.

A University of Michigan study of 214 U.S. bank Web sites found many banks silently redirect their online customers to third-party sites, plop “secure login” boxes on insecure Web pages, and improperly use Social Security numbers or e-mail addresses as user names.

Experts say all of these banking tactics can put customers at risk.

“Conventional wisdom is that the clients — or PCs — are inherently insecure devices,” said Litan of Gartner.

“What this study shows is that the servers — or the bank and other consumer-facing Web sites — are also inherently insecure.”