Britain makes a first 'phishing' arrest

Police say their suspect tried to steal personal data from customers of an online banking site, though the bank says only a "handful" of its clients actually gave away information.

British police have made one of the first arrests in connection with an Internet scam known as "phishing," which is plaguing the fast-growing Web-banking business.

A 21-year-old man is accused of trying to steal the banking details of customers at U.K. Internet bank Smile, authorities said Thursday.

During the past year, crafty programmers have been honing phishing scams by creating bogus e-mails and increasingly realistic Web sites where they try to con Internet customers out of their bank details or credit card numbers.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

"It is believed this man was a copy-cat phisher and is not connected to the organized crime group that is behind the global swathe of phishing scams targeting bank users in Australia, New Zealand, the U.K. and the U.S.A.," the United Kingdom's National Hi-Tech Crime Unit (NHTCU) said in a statement. The NHTCU said officials from the Co-Operative Bank, who operate, reported the scam last month to police.

A Smile spokesman said a "handful" of the bank's 500,000-plus customers supplied their details to the bogus site. "My understanding is nobody has lost any money," he added.

Some of the largest retail banks in the world, including Barclays, Lloyds TSB and NatWest, have been hit by the scam over the past year. Another favored target is eBay's online payment service, PayPal.

In most cases, the scammers create elaborate-looking e-mails masquerading as official notices from a bank or retailer saying the recipient's account needs to be updated or that a new product is on sale.

A link is provided in the e-mail to an official-looking Web site, where the customer is instructed to input account details and credit card numbers.

Online banks regularly post warnings on their Web sites that, as a matter of policy, they will never e-mail customers asking them for their banking details.

Still, as the fraudulent solicitations and sites are perfected to look more and more authentic, police are warning the public to be hyper-vigilant.

Len Hynds, the head of the NHTCU, said "phishing" scams now represent about 25 percent of the unit's caseload, adding that since January banks and retailers have been reporting an average of two warnings per week.

Ed Barlow, a technology director for Web security firm Kavado, said a powerful new phishing variation has emerged in the past three months in which fraudsters have taken over a genuine Web site and had the user's inputted details diverted to a storage point under scammers' control.

In the realm of online fraud, he said, this example is relatively rare at the moment. But at a security trade show in London this week, he demonstrated how it could be done using a mocked-up Web site.

Security specialists and police repeatedly warn Internet users not to click on e-mail links unless they are certain of the sender.

Barlow goes a step further, suggesting a remedy that will not please e-mail marketers.

"If you are going to go into a Web site, go in directly through a Web browser, not through an e-mail link," he said.

Story Copyright  © 2004 Reuters Limited.  All rights reserved.