Some of the e-mails say they're from bank security, and they ask for ATM card numbers and PINs to "protect" the customer; others take victims to a bogus Web site that looks very much like Fleet's.

01:00 AM EDT on Tuesday, April 27, 2004

BY TIMOTHY C. BARMANN
Journal Staff Writer

Fleet Bank customers are being targeted by nearly two dozen Internet scams designed to trick even experienced users into divulging ATM card numbers and passwords.

Some of the scams are so sophisticated that they present victims with bogus Fleet Web sites that are virtually indistinguishable from the real thing.

Like most Internet swindles, the Fleet scams arrive by e-mail and inform the recipient that they need to click on a link to "update" or "confirm" some of their account information. The e-mail often contains the Fleet logo, making it appear authentic.

Some of the scams are sent under the guise of bank security in order to "protect" the customer, such as this one, addressed to "Dear customer of Fleet."

"The recent cases of fraudulent use of clients accounts forced the technical services of the bank to update the software. We regret to acknowledge, that some data on users accounts could be lost. The administration kindly asks you to follow the reference given below and to confirm your data. You must complete this process by clicking on the link below and entering your Fleet ATM/Debit Card number and PIN that you use on ATM. This is done for your protection . . . However, failure to login in the popup window will result in account suspension."

The link brings up the real Fleet HomeLink Web site. But then, a small pop-up window appears on top, with the heading "Customer Login." It also has the Fleet logo, and it asks the user for his Fleet card number, ATM password and card expiration date.

Once a user clicks on the log-in button, the information is sent to a Web site in Romania, according to MillerSmiles.com, a site that tracks such scams.

FleetBoston is aware of the scams and is aiding the U.S. Secret Service with its investigation, said Betty Riess a spokeswoman for Bank of America, the parent company of Fleet.

"This is kind of new twist on an old scam," Riess said. It's really a matter of consumer education and awareness."

This type of scam is known in the Internet parlance as "phishing."

Phishing attacks are typically sent by e-mail directing the recipients to a phony Web site and asking them to enter private financial information, such as credit card, Social Security and bank account numbers. The information is then used to commit identify theft and credit card fraud.

Besides Fleet, customers of many financial services and e-commerce companies have been targeted. Last month, there were 110 distinct phishing scams targeting eBay users, according to the Anti-Phishing Working Group, an industry association dedicated to fighting phishing, identity theft and e-mail fraud.

Those who launch the attacks work like spammers. They e-mail messages to thousands or millions of e-mail addresses, hoping to net a few victims.

The success rate is as high as 5 percent for some scams, according to the Anti-Phishing Working Group.

"It's a highly effective way to steal this information," said Dan Maier, a spokesman for the San Francisco-based organization. The group's members include financial services companies, Internet service providers, law enforcement agencies and others, Maier said.

Phishing attacks are becoming more common and more sophisticated, Maier said.

FBI OFFICIALS took notice of the problem last summer and issued an alert.

"Bogus e-mails that try to trick customers into giving out personal information are the hottest, and most troubling, new scam on the Internet," said Jana Monroe, assistant director of the FBI's Cyber Division, in a statement issued last July.

In March, there were 402 new phishing attacks reported to the Anti-Phishing Working Group, a 43-percent increase over the number of attacks reported in February, the organization said in a report issued this month.

There was a surge in the number of Fleet Bank scams reported last month, the report said. It catalogued 23 different scams directed at Fleet customers in March, making Fleet the fourth most-targeted company for the month.

The highest number of scams were aimed at eBay customers, followed by Citibank and PayPal.

The most recent attacks can be especially deceiving because they use programming tricks to spoof the real address shown on a Web browser's address bar.

In other words, clicking on a link from one of these scam e-mail messages could bring up a Web page that looks real and has an address that looks legitimate, such as Fleet.com. But the browser is really showing a fake site.

There doesn't appear to be the equivalent of anti-virus software to guard against phishing attacks.

Bank of America's Riess said that customers should think twice before clicking on a link in an unsolicited e-mail message.

"We recommend to people if they have a question about something being valid, don't click on the link," she said.

"You can type in the company's home URL directly to determine whether or not the email is legitimate."

Internet users should also update their Web browser software to the most recent versions. Many scams exploit a bug in Microsoft's Internet Explorer that makes it possible to spoof the browser's address bar. (Test whether your browser can be spoofed by going to

http://secunia.com/internetexploreraddressbarspoofingtest/

All the words after a slash are separated by the underscore character.)

Some companies, such as eBay, have released browser add-ons that will alert you when you visit a site that purports to be an eBay site but really isn't.

Maier said that there are proposals being discussed by industry groups that could lead to a more comprehensive solution, such as the use of "digital signatures" in e-mail that would validate the sender of the message.

Another idea is for a targeted company to use a certain picture on its Web site that won't show up on a bogus Web site.

"Use common sense about giving out financial information, the same way you would if someone called you and asked you for your credit card," Maier said.

Timothy C. Barmann covers technology, utilities and energy. Contact him at tim [at] cybertalk.com