Companies on the front lines of the phishing wars share tactics for making their sites spoof-proof and protecting online transactions.

Reader ROI

• Why phishing is a major threat to future e-commerce
• How you can protect your employees and customers from phish attacks
• What you can do to make your Web site a difficult target

On June 25, an e-mail that appeared to be from the PayPal Support Centre asked members of the online payment service to update their account information to protect themselves from fraud. Failure to update records by July 15, the message read, would result in account suspension. Recipients who clicked on the embedded link encountered a familiar PayPal log-in screen, then an announcement of a new immediate payment option as well as a ho-hum notification of changes to PayPal's user agreement and privacy policy.

All standard PayPal fare. So, few customers would have thought twice about filling in the online form that followed - even though it asked them to cough up their e-mail address and PayPal password, credit card number and expiration date, billing address and phone number, cheque account number, ATM code, Social Security number, birth date and mother's maiden name. Upon hitting the "Continue" button, the PayPal member would have been greeted with an "Updating Your Account" screen for a few seconds before landing on a replica of a general PayPal page.

It was all so convincing that respondents might never have suspected that the online form they just completed was on its way to a crook in Seoul. Those who did reply gave away access to their PayPal account, credit card and cheque accounts, and quite possibly enough information for the fraudster to take out a second mortgage on their homes.

The Internet makes identity theft almost laughably easy. Phishing - or the practice of sending e-mails and using fake Web sites that spoof a legitimate business in order to dupe unsuspecting customers into sharing personal and financial data - requires minimal effort and capital. "A lot of drug lords are getting into phishing," says Avivah Litan, a vice president and research director at Gartner. "They set up phishing rings because it's easier and more lucrative than selling cocaine."

Not surprisingly, the incidence of phishing is growing at an alarming rate. In June, the Anti-Phishing Working Group (APWG), an industry group, counted 1422 phishing attacks - more than 12 times the number of attacks reported in December. So far, phishers have mostly targeted customers of large banks, credit card companies, online payment services, ISPs and online retailers. In June, Citibank alone was the target of 492 attacks, and eBay experienced 285 attacks. PayPal was targeted 42 times in February, 63 in March, 135 in April, 149 in May and 163 in June. But any company with a recognizable brand name could very well become the next target. Government agencies, including the IRS and the FBI in the US, have been spoofed by phishers eager to capitalize on governmental authority to make an easy profit. In fact, even internal corporate data is becoming a target for phishers, as executives at Wyndham International discovered when a message purporting to be from the hotel chain's IT department asked employees to verify their corporate passwords.

"Spoofing is a threat to any company with a sizeable customer base," says Ken Miller, vice president of risk management at PayPal. "Every CIO needs to be aware of this issue."

Indeed, phishing has scared some consumers so badly that they say they're not going to bank online any more, says Dave Jevans, APWG chairman. Although technological solutions are on the horizon, they won't be in place for at least a year, and quite likely not for two or three. In the meantime, there are measures CIOs can put in place to staunch the billions of dollars in potential losses to their customers and companies. Here's a look at the current state of phishing, why it's such a serious threat to e-commerce and what companies on the front lines are doing to minimize the risk to their customers and brands.