Wednesday, May 30, 2007

Privacy Watch: Phishing Anxiety May Make You Miss Messages

Swarms of bogus electronic missives deter people from accepting legitimate e-mail.

"Washington Mutual Security Warning." "Verify Your PayPal Account." "Official Information From Wells Fargo." You've been bombarded by e-mail messages with headers like these so often that you may now assume that they're all phishing scams. But what happens if your bank or an online vendor does need to contact you by e-mail? Will you even open the message?

If you're like most people, you've probably grown so disgusted with the daily attempts to con you into divulging your personal data that you may now unwittingly throw out some legitimate messages along with the fraudulent ones.

The percentage of people who open legitimate HTML messages from companies--the so-called "open rate"--has dropped by 20 to 30 percent over the past year, according to MarketingSherpa, an online publication that covers the marketing industry.

"We have been noticing in general that open rates across HTML e-mail have been unexpectedly plummeting," says Anne Holland, MarketingSherpa's publisher. (There are no statistics available regarding how many people open plain-text marketing messages, because those messages can't be tracked in the same manner.)

You probably know the best defense against phishing: Don't click any of the links within a suspicious message. Instead, type the URL into your browser's address bar, log in as you normally would, and then check to see whether your account has problems.

But companies have to find better ways to communicate securely with their customers. Some businesses are using small dedicated applications to get messages to customers, Holland says. "If [banks] can get people to download an application for banking and keep that on their computer, that might get past phishing."

Another option is for a firm to post messages to customers in a secure portion of its Web site. That way customers can get important news when they log into their account and know it's legitimate.

Finally, more businesses need to adopt measures to counter phishing attacks. For instance, some bank Web sites can detect when a phishing Web site tries to load the site's graphics and can prevent the images from displaying properly in the victim's browser.

It's unlikely that anything will completely eliminate phishers, but if companies want customers to treat their e-mail messages seriously, they need to get serious about dealing with the problem.

http://www.pcworld.com/article/id,122090/article.html