Something's Phishy

Written by Jill Vasant, AP Technology (2005)

Phishing is the latest cyber attack to hit the banking industry. This new form of online identity theft is growing rapidly, and it has already tricked millions of internet users into revealing personal financial information. In this article you will learn about the evolution of phishing attacks, see what financial institutions are doing to protect their customers, and be able to asses your own fraud risk.

Casting the Net

In April of this year, there were 14,411 email phishing attacks reported to the Anti-Phishing Working Group (APWG). Since July of 2004 there has been a 15% growth rate in the number of phishing sites that appear each month, with the United States hosting the majority of these spoof sites. *1

Phishing is a type of online fraud aimed at stealing a person's identity - and it has taken hold of the banking industry. In this latest cyber attack, phishers pose as financial institutions, such as banks or credit card companies, and send out fake emails, generally in bulk, directing recipients to fraudulent websites in order to bait them into divulging personal financial information. These phony emails are purposely designed to mimic the look and feel of legitimate emails from financial institutions, which is exactly what reels in victims everyday.

According to the Gartner Group, of the 57 million online users who have received a phish, nearly 2 million users have been tricked into giving up personal and financial data. Such data includes social security numbers, bank account information, credit card numbers and passwords. Online commerce has been hit hard by phishing attacks, with banks representing 15 of the top 20 phishing scams.

In March, banks accounted for 81% of all hijacked brands2 (brands are companies that have become phishing targets, as defined by the APWG), and in April, ten out of the eleven newly-hijacked brands belonged to financial institutions.1 Phishing alone is costing U.S. banks $1.2 billion in direct losses, increasing insurance rates and eroding consumer confidence in online transactions. *3

Originating in 1996, phishing was a scam invented by hackers to steal AOL accounts and passwords. *4 Today, phishing schemes have evolved into a highly sophisticated form of identity theft, and these attacks are becoming more difficult for unsuspecting recipients to detect. Below are examples of recent email phishing attacks, courtesy of the Anti-Phishing Working Group:

Source: Anti-Phishing Working Group (www.antiphishing.org)

Source: Anti-Phishing Working Group (www.antiphishing.org)

As seen in the above email examples, phishers are able to lure victims by hijacking the brands of trusted banks, credit card companies and online retailers by mirroring an institution's logos, graphics, trademarks and URLs. The links contained in these emails appear to look like legitimate sites, however, when a recipient clicks on one of these links, they are actually taken to a spoof website where phishers are easily able to capture a victim's personal information.
**Feel free to test your phishing skills by taking the "MailFrontier Phishing IQ Test II" online (don't worry, it's not phishy).** *5

So what can banks and financial institutions do to protect their valued customers from phishing attacks and more importantly maintain their trust? Phishing prevention primarily requires education; however, there are new technology and security features on the horizon.

Reeling Them In

MasterCard, for example, announced in May that they have successfully shut down almost 1,400 phishing sites since launching their ID-theft-prevention program in June of 2004. With MasterCard's program called Stop It, they are able to detect internet scams in real time as they filter across the Internet. MasterCard was able to shut down a phishing site in just 15 minutes. *6

Bank of America will be launching SiteKey, "a free online authentication service...that verifies the authenticity of both a customer's identity and the bank's Web-site address." The SiteKey service relies on security called "two-factor authentication," in which customers are granted access to online banking based on their particular computer and unique password. Customers select an image of their choice with a corresponding phrase and three challenge questions, which upon signing on to online banking, are displayed for verification. This assures customers that the bank recognizes their computer, and more importantly that the customer is actually at the bank's website and not a spoof site. This service will first be launched in Tennessee in mid-June, with complete roll out across the country expected by year end. *7

Wachovia now offers an interactive Identity Theft Quiz *8 online, under the Customer Protection section of their website. This online tool provides customers with information on identity theft and internet fraud, while assessing their individual risk levels. The quiz is divided into three short sections including personal information, physical environment and online environment, which can be taken together or separately. Once customers complete the quiz they are given several tips on how to protect their identities and lower their risk of fraud. *9

Additionally, several British banks including Barclays Bank, HBOS, Royal Bank of Scotland and NatWest have slowed down intrabank payments between accounts, in some cases for up to a day, in order to combat phishing. *10

Phishing Safety

Industry experts believe that static passwords do not belong in the world of online banking and internet commerce, and that they will soon become obsolete. In fact, banks that are using static passwords for online banking are the most vulnerable to phishing attacks. However, the security industry offers several solutions including one-time, time-limited passwords, multi-factor authentication, smart cards, and digital certificates being among the most popular. *3

According to TowerGroup analyst George Tubin, many banks are now offering their customers toolbars that can detect the authenticity of a website. *6 These toolbars, also known as anti-phishing or anti-fraud toolbars, sit on top of a client's web browser and display a rating that alerts customers to how fraudulent a website is. *11

Phishing in the Future

Currently, by an 8-to-1 margin, online consumers are so fearful of online identity theft that they are limiting their use of advanced online financial services. *3 Such reactions are causing consumers to become suspicious about all online communications from their banks and financial institutions, significantly impacting the future of global ecommerce. *12 Even the Gartner Group warns, "If phishing antidotes are not implemented consumer trust will erode and annual U.S. e-commerce growth will slow to 10 percent or less by 2007." *3

With the evolution of cyber attacks and the growing sophistication of hackers, unfortunately, phishing is not the only form of online identity theft to be concerned about. Phishing does not consist of phony emails alone anymore, but is now being combined with keystroke loggers (malicious code allowing keyloggers to monitor specific actions in order to steal personal information from financial websites), Trojan Horses (viruses unknowingly downloaded to a PC), and pharming (redirecting a web request to a spoof website that's an exact replica of the actual site). *1

It is important to remember that by casting a net on the phishing phenomenon and reeling in the bad phish through proper education, internet security improvements, and timely reporting, it is possible to prevent unwanted cyber attacks.