Dan Gillmor wonders if there's an effective way to battle scam e-mails. Here's a thought: banks, eBay, CC companies, etc. provide a Web site or Web Service that provides an array of fake userids and passwords that are identified in their back end as “fraudulent.”
- A savvy person receiving a phish goes to, say, honeypot.ebay.com (the service provided by the real eBay) and says “Gimme' a traced id.”
- eBay responds with “JohnSmith78“ “87htims“
- Savvy person clicks through to the phish site and “logs in“ as “JohnSmith78“
- The phisher passes through the traced id and eBay says “Hi, John, you have \$25,213,123 in your account“
- The phisher says “Oh, wire that to Russia Federal Credit Union account #1234“
- Standard wire fraud techniques are used thereafter
Of course, the use of offshore accounts by phishers is a challenge, but that's a matter for law enforcement, not gullible Internet users.