When the SEC swooped in on Oak Grove, Ky., resident K.C. Smith last year, the 20-year-old was accused of creating a number of fake Web sites in a year-long scheme that bilked investors of $102,000. Among other accusations, the SEC said that Smith created and maintained a fictitious Web site for the Maryland Investment Club that claimed to offer investors double-digit returns and promised that "every dime you invest is 100 percent guaranteed."
The SEC charged that Smith sent out a total of nine million spam e-mails soliciting investors. He concealed his identity from investors, the SEC said, by using disposable cellular phones, accessing the Internet through stolen ISP accounts and using online payment services that provide confidentiality. Without admitting or denying the allegations, Smith agreed in May 2003 to a disgorgement order that required him to pay $107,510.
While elaborate, the Smith scheme is not unusual. The latest Internet scam is "phishing," where scammers use e-mails to "fish" for passwords and financial data from unsuspecting consumers. "It's becoming a huge problem, and we're almost to the point where I am tempted to say if you haven't been phished yet, you will be," says Wayne Abernathy, assistant secretary of the U.S. Treasury.
A typical phishing campaign, Abernathy explains, features e-mails that direct recipients to a fraudulent Web site that resembles a legitimate organization's site. The consumer is asked to update sensitive personal data that the thieves then use to commit fraud, he continues. According to the Anti-Phishing Working Group, an industry association formed to combat fraud, there were 1,197 unique phishing attacks in May alone, and financial-services firms were the top target. (Citibank was the organization most targeted, with 370 attacks.)
Stamford, Conn.-based research firm Gartner reports that more than 57 million Americans have likely received a fraudulent e-mail, and direct losses from such identity theft cost financial institutions $1.2 billion last year. Avivah Litan, vice president and research director at Gartner, says that 19 percent of those who receive a phishing attack (about 11 million Americans) will click through to the link of the spoofed site provided in the e-mail. About 3 percent actually provide their personal information. "Phishing attack victims are almost three times as prone to identity-theft-related fraud as other online consumers. Financial institutions, Internet service providers and other service providers need to take phishing seriously," he says.