Phishing, e-mail money laundering scams on the rise

Security experts say they're detecting a marked increase in online scams amid the economic downturn.

As the economy worsens and more people get laid off, online fraud and financial scams are rising, security experts say.

Many of the scams lure people in with promises of quick and easy money. For instance, there has been a marked increase in money mule recruitment scams for people to transfer funds online between countries, and other illegal work-related spam in recent months, security firm Panda said on Thursday. Such offers promise $225 or more a day for what they call "rebate processing" work at home.

"The schemes are aimed at people who are desperate in rough times and who are likely to respond as they lose jobs," Ryan Sherstobitoff, chief corporate evangelist at Panda.

While the U.S. unemployment rate increased by over 6 percent between August and October, reaching a 14-year high of 6.5 percent, dubious work recruitment scams rose 514 percent over that same period, according to statistics from the Honeypot Project, a security-focused research group.

Those types of recruitment spam hit an all-time high as a percentage of total spam, topping 0.31 percent, up from 0.23 percent the previous month and 0.13 percent in August, according to PandaLabs, the malware analysis laboratory of Panda.

Meanwhile, the success rate for the money mule operations in North America was on average 66 percent higher than the success rates of such scams in other regions, said PandaLabs, which analyzed a sample population of seven large mule networks around the world. Recipients respond to about one in three of the money mule e-mails, Sherstobitoff said.

This is an example of a money mule laundering e-mail, the type of which has risen along with the U.S. unemployment rate, PandaLabs says. PandaLabs

In the money mule scams, e-mails offer jobs as independent contractors and commissions for processing rebates that are supposedly from purchases made at legitimate companies. "Applicants" are asked to provide their bank account information and are then instructed to wire money that is deposited into their accounts to drop boxes via Western Union, said Sherstobitoff.

Rather than processing actual rebates, the operation is designed to launder stolen money from one country into another through legitimate bank accounts, he said. The "contractor" may or may not receive a small sum in exchange, but it won't be enough to make up for the risk posed by participating in an illegal scheme, he said.

Also believed to be related to the economic downturn is a spike in phishing attempts, whereby fraudsters lure people into providing sensitive bank and personal information on malicious Web sites that appear to be legitimate bank sites. The phishing e-mails lately have been made to look like they come from banks that have been involved in mergers, such as Chase and Washington Mutual, and are preying on bank customers who may be confused.

Over the last month there has been a significant increase in phishing attacks, or malicious Web sites discovered that victims are directed to via e-mail, according to security firm Cyveillance.

The daily average number of phishing attacks detected has risen from 400 or fewer in the first quarter of 2008 to more than 1,750 in the past month, the firm said. On one day the number of attacks spiked to greater than 13,000, said Cyveillance, which helps commercial customers get phishing sites taken down.

It is unknown how many people are actually falling for the phishing scams and losing money, said James Brooks, director of product management at Cyveillance.

The attacks are easy to do once e-mail addresses are obtained, and the risk of getting caught is incredibly small while the payoff can be huge, he said.

"Phishers are getting rich and are very organized," Brooks said. Meanwhile, "no one is going to jail over it."

Firefox and Internet Explorer have built-in features that warn Web surfers when a site they are visiting is potentially harmful, and Google has a Firefox extension that alerts people when a page appears to be requesting personal or financial information under false pretenses.

"None of these (technologies) is foolproof, but they're a step in the right direction," Brooks said.