State office accidental participant in scam

SEATTLE - Attorney General Rob McKenna has made Internet scam artists and identity thieves among his top targets. But on Wednesday, McKenna unwittingly helped an online "phishing" scam troll for victims.

It happened when someone pretending to be Bank of America Corp. sent an e-mail seeking account information to a mailing list normally used for communicating with the press corps.

That bogus e-mail was actually an attempt at "phishing," an online theft tactic that fools victims with realistic-looking e-mails that appear to come from banks or other financial institutions.

After calling attention to the bogus message, McKenna's office said it had tightened up security for its online e-mail list.

Spokeswoman Kristin Alexander also acknowledged the irony, saying it was "pretty gutsy" for an online con artist to hijack the e-mail of the state's top law enforcement officer.

"Our first concern was making sure nobody was harmed," Alexander said. "An equally important concern was making sure it won't happen again, and it won't."

But Kurt Opsahl, a staff attorney for the online civil liberties group Electronic Frontier Foundation, said government should be especially vigilant in making sure it doesn't contribute to identity scams.

"If it was something that happened regularly, people would have a higher likelihood of being bamboozled by a phishing

e-mail that appeared to come from an authoritative figure," Opsahl said.

Wednesday's scam apparently started when an outsider tried to send the phishing e-mail to people signed up for news updates from McKenna's office.

Although the state's mailing list program allowed the message in, a security feature diverted it back to McKenna's office for approval.

However, instead of catching the scam, a staffer mistakenly clicked on a Web link that approved the release, Alexander said.

McKenna's office later called attention to the e-mail, which took recipients to a legitimate-looking Web page that asked for bank account information.

Officials also shut off outside access to the mailing list, ensuring that only people within the office will be able to send messages, Alexander said.

The Anti-Phishing Working Group, an industry association, reported 24,853 phishing attacks in March from about 20,870 unique Web sites. Financial services were by far the most heavily targeted sector of business, accounting for more than 91 percent of phishing attacks.