In a world where millions of online transactions are conducted every day, it didn't take long for most Internet users to become aware of phishing scams and avoid the phoney e-mails from crooks looking to steal personal information and clean out bank accounts.

But even the most savvy surfer might be fooled by the next generation of fraudsters that have developed a more devious way of tricking consumers known as pharming.

Shelley Jones, a trademark specialist with law firm Borden Ladner Gervais, said this new form of fraud is particularly damaging because it doesn't require any clicking of external links. Rather, it re-directs the browser to a phoney site even when the proper URL is entered.

Ms. Jones is also chair of the Intellectual Property Institute of Canada's (IPIC) Domain Names and Trademarks on the Internet Committee.

With phishing, criminal networks send out mass e-mails made to look like they are from legitimate companies to people who may not even have an account with the actual organization. These e-mails are easy to spot with a suspicious eye as they usually have spelling mistakes, do not have the customer's name attached and ask for information a bank wouldn't ask for online.

Pharming is much harder to spot. Hackers set up phoney web sites to look exactly like the real deal, redirect the users' browser to their site and steal any personal information that is provided.

Although there have been no large-scale cases of pharming yet, the fact that users could enter what they think is a genuine URL and unwittingly submit personal information makes for a scary scenario.

"They both result in our clients providing personal information that leads to identity theft. These websites are able to do it by misappropriating logos, copyrights and trademarks to look legitimate," she said.

"But unlike phishing, a customer can click on one of their "favourites" links, a website they visit every day, and be redirected. Many people don't pay attention to the URL and even when they do, websites change their URLs legitimately all the time."

Pharming has been around for some time. Also known as framing or domain name spoofing, the latest technique is known as domain name system (DNS) poisoning. The URL for a website is linked to a numeric IP address and that address is what brings users to the proper web site. Hackers can crack the DNS and change the address linked to the URL.

"They generally have the look and feel of the real sites. I've seen some very sophisticated fraudulent sites," said Ms. Jones.

And it's not just banks that have to be aware of these, said Maura Drew-Lytle, spokesperson for the Canadian Banker's Association. "Retailers, Internet service providers, government web pages they all have to work hard to protect their clients."

One high profile case of suspected pharming happened in January 2005 when someone hacked into Panix.com, a New York State-based Internet provider, and re-routed users before it could be shut down a few days later.

In 2004, Ebay's German domain Ebay.de was targeted. Popular phishing sites like retailers and banks are also on high alert.

So how do users and companies protect themselves? The United States is in the midst of passing anti-phishing legislation and Canada has anti-spamming laws, but these have done little to stem the tide.

Ms. Jones doubts that formal legislation will stop phishing or pharming. "These networks are already committing crimes by stealing credit card numbers and most take place overseas, outside of Canadian or American reach," she said.

"I think that if we are ever going to see anything effective it's going to be in the way of technological advances. Companies need to protect their trademarks in all domains, even overseas."

She said that online companies should set up a system for customers to alert them about phoney web sites and e-mails. "They have to understand that these criminals are not just stealing from customers, they are stealing the goodwill and integrity of the business' trademark."

According to Chief Security Officer Magazine, phishing scams cost businesses approximately US$2 billion between May 2004 and May 2005, as a result of an estimated 1.2 million people falling victim to phishing in America alone.

Ms. Drew-Lytle said that the CBA actively searches out these sites and can shut them down in as quickly as 24 hours. "The main way to prevent clients from scams is education. Everyone knows how to spot a phishing scam now. When one of these are circulating, the banks receive a huge increase in calls," she said.

Ms. Jones sees new firewalls and security certificate software becoming more important in the future to keep these predators out. Some companies are also looking into creating holograms or other optical cues for their websites that can not be duplicated, much like security features on a banknote.

"Internet shopping and banking is the future of business. But, if we are going to keep consumer confidence, we have to make sure they know they are safe online," Jones said. "They have to be able to trust the brand they are using."

By Julie Fortier

Special to the Ottawa Business Journal