Phishing is a simple concept, involving the sending of e-mails claiming to be from legitimate financial organisations to recipients, who are then redirected to a fraudulent website. Once there, they are asked to update their personal information – from bank account numbers and passwords to social security numbers. In the most sophisticated cases, the spoofed web site is almost a perfect replica of the genuine site – making it more difficult for visitors to determine one from the other.
Once this personal information is obtained, the identity theft begins, and can result in drained savings accounts, new credit accounts being opened and countless on-line purchases being made in the victim's name.
Phishing is a relatively new phenomenon but has very quickly become a serious headache for those charged with maintaining on-line security in financial institutions in particular.
There is no doubting the rise of the problem in the past nine months or so: back in August 2003, MessageLabs intercepted a grand total of 14 phishing e-mails (i.e. containing a fraudulent URL posing as that of a legitimate organisation). By the end of January this year, this number had risen to 290,016.
Phishing scams have to date occurred on every major English-speaking continent. North America has perhaps been worst hit – customers of TD Canada Trust, Citibank, Ebay's PayPal and Visa have all unwittingly divulged account numbers, passwords and other sensitive information. In the UK, customers of major high street banks like Barclays, NatWest and the Halifax have all responded to false e-mails. And in Australia the customers of all four main banks have been targeted by scams.
Ascertaining precisely how many users have fallen victim is no easy feat. The representative body of the UK banking industry, APACS, has been cautious about its impact, claiming that fewer than 100 people fell victim in 2003. And yet the Bank of England saw at least 200,000 phishing emails during one particular scam. In the US, complaints to the Federal Trade Commission increased by 67% to more than 75,000 since phishing e-mails first emerged in 2002.
One reason for the conflicting reports may be that financial institutions are wary of reporting a successful phishing attack – as it points to a direct threat to their on-line security. More disturbing is the possibility that they may not even be aware that it has happened.
What is clear is that institutions must take steps to try and prevent becoming victims in the future. But what can they do to prevent themselves falling for such scams?
The answer is there are a number of measures that can be taken, one of the most effective being the deployment of a dedicated, on-line fraud protection service.
Such a service should involve proactively monitoring international e-mail traffic and providing immediate notification upon the discovery of new phishing e-mails. An incident response element is also needed to contact the authorities and law enforcement agencies and to assist them in identifying and closing down fraudulent websites, thus reducing companies' exposure to losses related to prolonged scams.
There are additional precautions that can also be taken. User education plays a key role in any IT security initiative, and phishing is no exception.
Financial institutions must ensure that customers are aware of how they will communicate with them, and the kind of information they will be asked for. No reputable finance organisation would use an e-mail to notify customers of problems with their account and then ask them to hand over personal account details, account numbers and passwords with no personal contact or some kind of verification.
Unless financial institutions take immediate, urgent action, phishing scams will become one of the biggest threats they face today. Inactivity is not an option – this type of fraud results not only in financial losses, but also in considerable damage to credibility and reputation. In a climate where online banking as a whole is still attempting to establish widespread acceptance and trust, the potentially devastating impact of successful phishing scams must not be underestimated.
This article was provided to OUT-LAW.COM by Mark Sunner, Chief Technology Officer of MessageLabs. (www.messagelabs.com/intelligence)