Phishing attacks get personal

— -- You know to watch for phishing attacks, which use e-mail messages purporting to be from legitimate businesses to trick you into divulging private information. You're cautious and use a good spam filter, but phishing messages still get through. And these messages are more dangerous than ever.

According to Cisco, almost 200 billion spam messages are sent daily. They have one thing in common: They want your money.

Most computer users can spot phishing messages. Unfortunately, cybercriminals have become more sophisticated, too. Targeted phishing attacks account for 0.4% of spam. That may seem minor, but it's 800 million messages a day.

For example, you receive a message purportedly from your Internet service provider. It greets you by name and says your billing information is outdated. It says you must click a link to update your information. If you comply, your information will be stolen. This is the type of targeted attack you will see more of in 2009.

Phishing on the rise

Small phishing attacks don't receive much publicity. And the scammers' use of personal information to hook you increases trust. So, small, targeted attacks are often more lucrative than large ones.

Criminals can pull information about you from public sources, or someone may be tricked into disclosing it. Either way, it is used to tailor the messages.

You won't see a long list of recipients in targeted attacks. You may also notice a difference in the sender's address. Criminals used to spoof e-mail addresses. Spoofing is a quick, easy way to cover tracks. But spam filters can spot questionable e-mail addresses. Criminals now create new accounts with reputable providers. Or, they hack users' e-mail accounts. This helps criminals get past spam filters.

People who do business with large financial institutions are still prime targets, but clients of small or regional institutions are also targeted, along with those of ISPs and alumni organizations.

Phishing messages generally request your personal information. They may also instruct you to install a fake security update or a malicious browser plug-in. Do that, and kiss your personal information goodbye.