E-commerce is falling prey to a new and audacious online fraud by organized criminals whose nimble stratagems and technological virtuosity put them beyond the reach of national law-enforcement agencies.

The crime is identity theft, but with a nightmarish twist. These will-o'-the-wisp criminals help themselves to a corporate identity – typically that of a large, well-known financial institution – by creating a replica of the company's website.

Then, they use the look-alike website to run a con, such as an advance fee loan scam. Or they use it to trick consumers into furnishing credit card numbers, passwords or personal information.

Hackers call the scam "phishing," or "spoofing." It's a "big house" fraud, like the elaborate fake bookie joint in the 1973 Robert Redford movie The Sting, except in this case the swindlers use a labyrinthine array of cyberprops.

It takes the authorities an average of 160 person-hours (one week, 24/7) to close these sites, says Dave Jevans, the Redwood City, Calif., chair of the newly-created Anti-Phishing Working Group, a consortium of law-enforcement agencies and corporations.

If the scammers are located in Russia, it'll take more like three weeks, he says.

"There's no police service that I'm aware of that's set up to take this type of Internet complaint and be able to do something about it quickly," agrees Ontario Provincial Police Staff Sgt. Barry Elliott, co-ordinator of the North Bay-based Project Phonebusters anti-racketeering agency.

"The police are backlogged."

Jevans, an executive with Tumbleweed Communications Corp, an Internet software company that launched the Anti-Phishing Working Group in November 2003, says criminals were setting up five new look-alike websites per day by late December 2003, compared with one per day in October and November.

The casualty list reads like a Who's Who of North America's financial services sector: Sun Life, Bank of America, CitiFinancial, Primerica, America Online, eBay, Amazon.com, to name a few.

If you run a small company, you can fall prey to this sort of offence, too.

At the Better Business Bureau of Southern Alberta, I witnessed what may have been the first such crime when a small B.C.-based lending institution contacted me on July 16, 2002, after discovering its name and Calgary location being used on a phoney website in the United States.

The company – let's call it "Ace Loans" – was alerted by a bank. Meanwhile, we had just begun receiving inquiries from hopeful borrowers from across the U.S. who saw the criminals' ads in newspapers about hassle-free business and consumer loans from Ace's Calgary office.

The scam: You pay a hefty loan fee via Western Union. Then you don't get the loan. Information we received from American victims suggested the criminals were operating in the Toronto area.

Ace Loans does business only in Canada. This was merely a trifling detail to these criminals, however. They encouraged their marks to check "Ace" at our Better Business Bureau, knowing that the company had a good record with us.

It took me about 1.7 nanoseconds to smell a scam – and about six weeks of hard work to thwart the perpetrators who used an elaborate telephone relay to reel in their suckers.

I alerted our BBB staff. I worked with our IT manager to rewrite our reports to alert Americans. I wrote a news release. I contacted every police agency I could think of. Our BBB head office in Arlington, Va., got the Internet service provider to pull the plug.

Jevans says about eight corporations across North America were victimized in such a manner in 2002, compared with five per day today. His anti-phishing organization runs a website, www.anti-phishing.org, which provides a continuously updated public registry of "attacks" on the identities of corporations.

"These are professional criminals," says Les Seagraves of Atlanta, Ga., chief privacy officer of EarthLink, Inc., an Internet service provider. "It's very difficult to find these people and go after them."

The FBI's Internet Fraud Complaint Center (IFCC) says it has seen a steady increase in complaints about unsolicited e-mail directing consumers to a phoney "customer service" type of website. The IFCC has traced complaints to gangs in Russia, Romania and England.

Canadian Council of Better Business Bureau statistics show that identity theft costs the Canadian economy about $2.5 billion per year. Last summer and fall, a delegation of the Canadian Bankers Association visited regulatory agencies and police forces across Canada to drum up support for tougher criminal penalties.

RCMP Commercial Crime Staff-Sgt. Lou Morissette of Ottawa says the criminals hit hard; then shut down. "When we go to the site, they're gone," he says. "They're that quick."

Jevans says e-business already is feeling the consequences of the personal and corporate havoc. Customers are becoming reluctant to comply with legitimate requests for personal data. "The problem we're seeing is that the customer says: 'I don't trust this e-mail'."

Here is what you should do if you discover ID thieves using your company's name:

* Contact your ISP.

* Post a warning on the home page of your website.

* Hire a law firm that specializes in using civil litigation procedures to pull the plug.

* Hire a qualified private investigator if the criminals have covered their cybertracks.

* Contact the Better Business Bureau in your area. The BBB can assist you by issuing public warnings.

* Monitor the Internet.

* Call a cop if someone has mimicked your website, but don't expect quick service. "It's up to the company's lawyers to shut it down," says Elliott.

* Contact Project Phonebusters toll-free at 1-888-495-8501.

* Best of all, take ongoing preventive action. For example, enclose tips in your monthly billings, such as telling your customers it is not a good idea to access your website by clicking on a hyperlink in an incoming e-mail.

(Brock Ketcham is the director of trade practices for the Better Business Bureau of Southern Alberta. He can be reached at brock@businessedge.ca)