Phishing is a simple concept, involving the sending of e-mails
claiming to be from legitimate financial organisations to
recipients, who are then redirected to a fraudulent website. Once
there, they are asked to update their personal information – from
bank account numbers and passwords to social security numbers. In
the most sophisticated cases, the spoofed web site is almost a
perfect replica of the genuine site – making it more difficult for
visitors to determine one from the other.
Once this personal information is obtained, the identity theft
begins, and can result in drained savings accounts, new credit
accounts being opened and countless on-line purchases being made in
the victim's name.
Phishing is a relatively new phenomenon but has very quickly
become a serious headache for those charged with maintaining
on-line security in financial institutions in particular.
There is no doubting the rise of the problem in the past nine
months or so: back in August 2003, MessageLabs intercepted a grand
total of 14 phishing e-mails (i.e. containing a fraudulent URL
posing as that of a legitimate organisation). By the end of January
this year, this number had risen to 290,016.
Phishing scams have to date occurred on every major
English-speaking continent. North America has perhaps been worst
hit – customers of TD Canada Trust, Citibank, Ebay's PayPal and
Visa have all unwittingly divulged account numbers, passwords and
other sensitive information. In the UK, customers of major high
street banks like Barclays, NatWest and the Halifax have all
responded to false e-mails. And in Australia the customers of all
four main banks have been targeted by scams.
Ascertaining precisely how many users have fallen victim is no
easy feat. The representative body of the UK banking industry,
APACS, has been cautious about its impact, claiming that fewer than
100 people fell victim in 2003. And yet the Bank of England saw at
least 200,000 phishing emails during one particular scam. In the
US, complaints to the Federal Trade Commission increased by 67% to
more than 75,000 since phishing e-mails first emerged in 2002.
One reason for the conflicting reports may be that financial
institutions are wary of reporting a successful phishing attack –
as it points to a direct threat to their on-line security. More
disturbing is the possibility that they may not even be aware that
it has happened.
What is clear is that institutions must take steps to try and
prevent becoming victims in the future. But what can they do to
prevent themselves falling for such scams?
The answer is there are a number of measures that can be taken,
one of the most effective being the deployment of a dedicated,
on-line fraud protection service.
Such a service should involve proactively monitoring
international e-mail traffic and providing immediate notification
upon the discovery of new phishing e-mails. An incident response
element is also needed to contact the authorities and law
enforcement agencies and to assist them in identifying and closing
down fraudulent websites, thus reducing companies' exposure to
losses related to prolonged scams.
There are additional precautions that can also be taken. User
education plays a key role in any IT security initiative, and
phishing is no exception.
Financial institutions must ensure that customers are aware of
how they will communicate with them, and the kind of information
they will be asked for. No reputable finance organisation would use
an e-mail to notify customers of problems with their account and
then ask them to hand over personal account details, account
numbers and passwords with no personal contact or some kind of
verification.
Unless financial institutions take immediate, urgent action,
phishing scams will become one of the biggest threats they face
today. Inactivity is not an option – this type of fraud results not
only in financial losses, but also in considerable damage to
credibility and reputation. In a climate where online banking as a
whole is still attempting to establish widespread acceptance and
trust, the potentially devastating impact of successful phishing
scams must not be underestimated.
This article was provided to OUT-LAW.COM by Mark Sunner, Chief
Technology Officer of MessageLabs. (www.messagelabs.com/intelligence)
