In October, the FBI announced a major cybercrime take down called Operation Phish Phry. The investigation uncovered a sophisticated international “phishing” operation that collected personal information from thousands of victims, some of whom were residents of the St. Louis area. The FBI says Operation Phish Phry is the largest cybercrime investigation to date in the U.S., with 53 defendants charged in U.S District Court.

According to the indictment, Egyptian-based hackers used phishing techniques to obtain bank account numbers and related personal identification information from bank customers. Phishing attacks frequently begin with an e-mail message purporting to be from a trusted source that actually contains a malicious link. The link directs users to a “spoofed” Web site that looks legitimate but is designed to trick users into disclosing personal information.

After the FBI announced the indictment, local TV station KMOV aired a story advising St. Louis-area computer users to be wary of phishing scams. Reporter Robin Smith interviewed Robert Brown, an Internet security expert with UltraTech Resources, who offered practical tips for spotting phishing schemes and avoiding becoming a victim. “One of the more common scams involves e-mails telling you that you could win $1 million today if you just transfer money to this account,” Brown said. “Common sense is your best guide in these types of situations. If something looks too good to be true it more than likely is.”

‘You’re (Not) a Winner!’

Unfortunately, nearly nine in 10 Web users in the U.S. are at risk of online fraud because they can’t identify the different forms of phishing currently happening online, according to a YouGov survey commissioned by VeriSign. Of the seven countries included in the research —- the U.S., Germany, Sweden, Australia, India, Denmark and the U.K. — U.S. respondents were least likely to identify the signs of phishing.

The research asked respondents to identify which of two Web site images presented side by side was a fraudulent phishing site. The most frequently missed telltale indicator was misspelling on the site, with 88 percent failing to spot the mistakes that often identify a phishing site. Other indicators that were missed by respondents included the lack of a padlock symbol in the browser address bar (68 percent), a URL containing an unspecified, numerical, domain name (42 percent) and unnecessary requests for additional account information (33 percent).

“Beware of those posing as a bank, credit union, PayPal or other financial source asking you to confirm or verify or renew account information. Also be suspect if they say you’ve won a lottery, offer you a job or partnership in a business, or make an urgent request for money for a medical emergency,” said Brown. “If you are suspicious of any e-mail, do not click on any links, do not reply, and do not open any attachments.”

Fake Messages, Real Danger

Cybercriminals also use a number of other techniques to lure victims into clicking malicious links or opening attachments that carry malware. Fake messages that seem to signal a package pick-up from popular couriers are infected with Trojans. Fake receipts sent via e-mail are infected with malware that leave users vulnerable to identity theft. E-cards are another common source of phishing scams.

Cybercriminals use bogus discounts and promos to lure victims into clicking malicious links, or entering confidential information into fake sites. Typically, hot retail items are associated with such schemes are, making them irresistible to many users. In previous years, for instance, fake advertisements and Web sites for the Apple iPhone infected users with the Trojan TROJ_AYFONE.

Users who fill out seemingly harmless online surveys in exchange for gift cards, cash, free items or special promotions risk identity theft. Compromised survey pages are actually phishing sites designed to steal confidential information.

“Cybercriminals also prey on users’ generosity, using fake charity sites for a variety of scams,” said Brown. “Typically, spammers send out messages pleading for donations to help victims of newsworthy calamities. Generous users who open the message and click on the link to donate end up robbed of cash and confidential information.”

Social Networking Scams Surge

The FBI warns that there has been an increase in the hijacking of social networking accounts, citing a growing number of reports to the Internet Crime Complaint Center (IC3) about cybercriminals hijacking accounts and sending out distress messages claiming they are in some sort of legal or medical peril and requesting money from their social networking contacts. So far, nearly 3,200 cases of account hijackings have been reported to the IC3 since 2006.

Cybercriminals are also using spam to promote phishing sites, claiming a violation of the terms of service agreement or creating some other issue which needs to be resolved. Other spam entices users to download an application or view a video. Some of these messages appear to be sent from friends, giving the perception of legitimacy. Once the user responds to a phishing site, downloads an application, or clicks on a video link, the electronic device they’re using becomes infected.

“Some applications advertised on social networking sites appear legitimate but install malicious code or rogue anti-virus software. These empty applications can give cybercriminals access to your profile and personal information. These programs will automatically send messages to your contacts, instructing them to download the new application too,” said Brown.

“If you get a message that appears to be from a friend or family member, give them a call. Contact the person you know using the telephone but do not try to contact them by returning the suspicious e-mail. Remain vigilant, and be aware that phishing poses a very real threat.”