Phishers hit commercial customers

The e-mail has all the appearances of being helpful.

“We are sorry to inform that the fraudulents with the accounts at our bank have recently increased,” the message begins. It goes on to ask that the recipient register for an anti-fraud program at the Citizens Bank Money Manager Global Processing Solutions site.

Those who click the accompanying link will find a Web page that looks exactly like the Money Manager GPS site used by the bank’s commercial customers, complete with spaces to type in a customer ID and user ID.

But it’s not the same.

- Advertisement -

Citizens Bank security officials said last week that the e-mail message, which has reached countless Internet users, Citizens customers and non-customers alike, marks a new twist on the “phishing” scam that has cost consumers billions of dollars in recent years.

This time, the e-mail campaign is aimed at business owners and executives.

“They haven’t had much success with our retail customers, so now they’re targeting our commercial customers,” said Jim Mignone, Citizens’ chief information security officer.

Citizens is far from the only institution whose customers are being targeted by phishing scams, but it has been hit particularly hard in recent days, with a slew of e-mails – with a variety of subject lines and messages – sent out in a short time frame.

That’s not unusual in phishing: In June, the last month for which figures are available, the Anti-Phishing Working Group got 28,888 reports of phishing attempts, they involved 146 brands. Eighty percent of the campaigns involved just 14 brands.

June also marked a spike in phishing attacks, which had hit a record high in January, with 29,930 reports, according to the group, but then declined. Financial services continues to be the most targeted sector, the group noted, with 95.2 percent of all attacks in June involving banks, brokerages and other financial institutions.

And even after all the awareness campaigns and news reports, some are still falling for the cons. In August, Consumer Reports’ “State of the Net” survey showed that U.S. consumers had lost more than $7 billion to Internet fraud over the last two years.

The risk continues to grow. MessageLabs, an information security and anti-virus company based in Gloucester, England, recently reported that one in every 87 e-mails sent in September was some form of phishing attempt, the highest level ever recorded.

A lot of that activity is being blamed on the proliferation of kits that allow relative novices to run automated phishing programs, and also on a hacking technique that permits scammers to use compromised computers to host multiple phishing sites simultaneously.

Also sharing some of the blame is so-called “rock phish,” a hacker or organized group of hackers believed to be behind many of the attacks. Because it’s so secretive, no one can say with certainty where the attacks are originating or how many people are involved.

Mignone said it’s tough to track down the phishing scammers because they use subdomains and other techniques to cover their tracks. And many of the culprits are located in far-flung countries, protected from international law enforcement. Financial institutions and businesses can mostly only monitor the situation and warn its customers.

“That’s why they do it,” Mignone said. “They are so well insulated, there’s no personal risk. They’re very hard to catch.”

And he added phishing attacks are cheap to launch and the payoff can be great. If just a few people fall for the scam out of thousands of e-mails sent, it’s a success for the scammers.

Mignone wouldn’t say how many Citizens customers have fallen victim to the recent phishing attack, except to say it has been very few.

Even if some customers are fooled into giving away some information, Mignone said, it would be of limited use because of additional safeguards in the system.

For the bank itself, the attacks do create another inconvenience, however.

Because the scammers are “spoofing” Citizens Bank, meaning they’re making it appear that the e-mail originated from the bank, undeliverable e-mails are returned to Citizens, potentially stressing the capacity of its computer system. The bank has software in place that blocks those return messages. “But there are so many of them,” Mignone said.

Citizens is not alone.

The brands of financial giants such as Bank of America have been hijacked for phishing campaigns before, but spokesman Ernesto Anguilla wouldn’t say last week whether those attacks have increased recently.

Even smaller financial institutions, which are rarely targeted, remain vigilant.

Barbara J. Perino, senior vice president of operations and technology at The Washington Trust Co., said she hasn’t heard of any phishing scams involving the bank, but she has heard warnings in the industry that some scammers might start shifting focus to smaller banks and credit unions on the chance that Web security there is lacking.

“They believe [smaller institutions’] defenses won’t be as strong,” Perino said. In reality, Washington Trust’s Web site has multiple layers of security, as larger banks’ sites do.

Stephen Ormerod, assistant vice president of security at Navigant Credit Union, Rhode Island’s largest credit union, said Internet scammers haven’t targeted the institution yet, “but we still try to keep our members on their toes as much as possible. People tend to be their own worst enemy in these cases.”

At Citizens, security officials have introduced a multifactor authentication program of their own dubbed Safe With Citizens. The login process consists of three elements: word verification, image selection and challenge questions.

“If you don’t see the correct image and phrase when you go to login, it’s not a legitimate site,” Mignone said.

As an added measure, he suggested that customers who are unsure of the legitimacy of a link should type the correct Web address in themselves.

While banking on the Internet is safe, “it’s like anything else, you have to be careful,” Mignone said.

And what are people to do if they continue to receive the bogus e-mails? “Hit shift-delete,” he said. “It’ll just go away.” •