Online criminals trying to pry passwords and other sensitive information out of companies have started using phony e-mails that look as if they were sent from powerful executives of the targeted organizations, experts said yesterday.

Known as "spear phishing," the technique is an ingenious wrinkle on the "phishing" e-mail scams that try to trick consumers into giving up bank-account information and other sensitive details that can be used in identity theft.

Businesses are typically reluctant to publicly disclose when they are the targets of online attacks, but online security company MessageLabs Inc. said in June that it has seen the tactic grow steadily during the year to the point where it now sees one to two spear-phishing campaigns a week.

Rather than posing as a bank or other online business, spear phishers send e-mails to employees at a company or government agency that appear to come from a powerful person within the organization, several security experts said.

Unlike basic phishing attacks, which are sent out indiscriminately, spear phishers target only one organization at a time. Once they trick employees into giving up passwords, they can install Trojan horse programs or other malicious software to ferret out corporate or government secrets.

Spear phishing can be devastatingly effective even among employees who are aware of online threats.

At the U.S. Military Academy in West Point, N.Y., several internal tests found that cadets were all too willing to give sensitive information to an attacker posing as a high-ranking officer, said Aaron Ferguson, a visiting faculty member there.

"It's the 'colonel effect.' Anyone with the rank of colonel or higher, you execute the order first and ask questions later," he said.

Cadets in more recent tests have been somewhat more likely to report the messages as suspicious as awareness has grown, he said.