If your e-mail smells 'phishy,' hit the delete key

They almost got me. The e-mail from PayPal said that my account had a problem. To correct some faulty information, I was instructed to click on a link included in the message. Well, I didn't have a PayPal account, but I knew my wife did. Perhaps she had given my name or e-mail address as a backup.

But my spider-sense was tingling, so I decided not to use the link, but to visit PayPal's website directly. And that's when I saw the notice about the scam. Someone had been phishing, and I was almost hooked.

No, it's not a misspelling. Phishing has become the most pervasive form of criminal activity on the Internet today. Using a variety of methods, phishers send out e-mails that look like they are from legitimate companies or organizations. The messages lead people to fake websites where they try to collect personal financial information.

In the 10 years that phishing has existed, it's grown from rather clumsy operations to much more sophisticated endeavors. Law enforcement officials believe some are run by organized crime rings from around the world. According to one recent estimate, computer users in the US lost more than $929 million to these scams over one 12-month period.

These days the phishers also plant software (known as 'crimeware') on people's computers that record their keystrokes. The information is then sent back to scammers. Another trick is to get people to visit the actual websites of a company, but through a means created by the phishers which allows them to record your keystrokes.

According to the Anti-Phishing Workgroup (www.antiphishing.org), a record 9,715 phishing sites were reported on the Web in January. About 80 percent of these scams involved six well-known brands. (One that I have been receiving recently was a regular stream of e-mails telling me about problems with my "Chase" account.)

The vast majority of these operations are based in the US, with Korea and China close behind. And here's a mind-boggling stat: Most of these sites only last an average of five days. So these folks run the scam, hook as many people as they can, and then get out of Dodge before the law can catch them.

Phishing is increasingly becoming a concern to Internet users, says Joe Laszlo, senior analyst for Jupiter Research in New York. When consumers were asked recently about what bugged them about the Internet, 53 percent said spam (no surprise there), but 35 percent said phishing, Mr. Laszlo notes.

"No matter how Internet savvy you are, all it takes is one time for a scam to fool you," he says. "And there is no depth to which the phishers won't sink. They will do anything to trick you."

After hurricane Katrina struck last year, numerous e-mails spoofing the Red Cross appeared, as phishers tried to take advantage of people's desire to help people in the Gulf Coast. Recently, these scam artists have been spoofing the IRS in an attempt to use tax season as a way to trick people into divulging their personal information.

Software companies and law enforcement agencies are trying to do something about phishing. Last week, Microsoft announced it was taking legal action against 100 phishing operations based in Europe, Africa, and the Middle East. This follows a similar initiative by the company against 117 suspects in the US.

And in late February, AOL used a new Virginia antiphishing law to go after 30 phishers working for three international groups.

The increase in phishing is also behind the move by companies like AOL and Yahoo to offer "certified e-mail," Laszlo says. This type of e-mail costs a certain amount per message but ensures that the message comes from the people who sent it. The idea of paying for e-mail of any kind has raised objections from consumer groups and free-speech advocates. But it was recently endorsed by the Red Cross, after its experience with the Katrina scam.

Regardless of whether certified e-mail becomes a reality, you remain your own best protection against phishing. Beware any e-mail from a bank, financial company, or even the IRS, which indicates you need to visit their site to "fix" a problem, or because your "account is about to expire." Don't act, until you visit the company's website first, or call it on the phone, to find out if any alerts exist about phishing scams. Better to take extra time examining the worm on the hook, than being caught, landed, and gutted by an expert phisher.