‘Phishy’ business: e-mail scams cost consumers

Banking industry largely targeted by increasing cons

Imagine if criminals started contacting your customers in your name, led them
to a Web site with your logo, and tricked them into giving out the information
needed to steal their credit cards or clean out their bank accounts.



For most businesses, that’s just a distant nightmare. But for online giants such as eBay, Amazon.com and several major banks, among other targets, such scams have become a persistent and costly problem.



Just how so-called “phishing” cons are costing consumers and businesses is unclear. The Ponemon Institute, a privacy research and watchdog group, pegged the cost to consumers at $500 million. Gartner Research, however, says U.S. banks and credit card issuers took a $1.2-billion hit in the last year, and total phishing fraud could amount to as much as $2.4 billion.



The attacks are also escalating rapidly. The Anti-Phishing Working Group, an international alliance of business and law enforcement, logged 116 unique attacks in December 2003. By February, it was up to 282. In May, 1,197 attacks were reported, and in July, 1,974, with 504 attacks in the last week of the month.



Peter Cassidy, secretary general of the group, said phishing started among top hackers, but now it’s easy even for novices, who can get “phishing kits” and just run automated programs. This is why the top targets are hit so often: Citibank was attacked 98 times in March, the APWG reported, then 475 times in April and 682 times in July. U.S. Bank went from four attacks in March, to 622 in July.



Fleet, long a popular target but now harder to hit as its customers are converted to Bank of America, went from two attacks in January to a peak of 55 in June, but was down to 20 in July. New victims, however, are always emerging – like Citizens Bank.



“We’ve had phishing issues before but they’ve been increasing in frequency,” said Jim Mignone, senior vice president for risk management at Citizens. “They’re pretty much constant now. And the thing that’s most important is, they’ve been increasing in quality … They look very real.”



Mignone wouldn’t say just how many Citizens customers have fallen for phishing scams. But the bank was so alarmed that, in recent weeks, it not only posted a warning on its Web site, but it also printed ads in newspapers of all its markets, mailed out notices with monthly statements, put up placards in its branches, alerted all its branch staff to warn customers, and even put a message on its customer-service phone line.



“In proportion to our customer base, it’s a small number” who have been scammed, Mignone said. “But what people need to remember is, they’re not going to stop, because there’s no cost. … If they get one or two, that’s good enough for them.”



Phishing reaches its targets through spam – as many as hundreds of millions of e-mails per month, according to the Anti-Phishing Working Group. Message Labs alone reported 337,050 phished e-mails on its network last January.



The scammers impersonate companies with a large online presence – thus the appeal of eBay and its PayPal service, as well as major banks such as Citi and U.S. Bank – and figure at least some of the e-mail addresses they target will belong to customers.



The e-mails follow a basic pattern: mimic the company’s look, complete with logo and sometimes all the design traits of the real Web site; mention something about having to “verify” or “confirm” your information, often on the pretense of protecting against fraud; and create urgency by threatening to suspend the account.



The e-mails include links, some clearly not to the companies’ Web sites, but some disguised so it looks like you are going to the actual site (one Citizens spoof even used a script to cover up the browser’s address bar, so visitors saw citizensbankonline.com on the address even though they were somewhere entirely different). The links lead to forms that request your login, password, credit card number – whatever the scammer needs. Many of the sites can even tell if you type in false data.



By Gartner Research’s estimate, 1.98 million checking accounts were breached in some way in the last year, many of them through phishing. The average cost per victim was $1,200. Phishing is now the fastest-growing kind of scam, Gartner said. And while, say, people who aren’t Citi customers won’t fall for a Citi spoof, an estimated 19 percent of U.S. adult Internet users clicked on the links, and 3 percent filled out the forms.



Once a company finds out about a phishing attack, the chase is on to shut down the offending Web site. If it’s a U.S.-based site, as was the case with that one extra-sophisticated spoof, it can be done in hours or even minutes, Mignone said (the Secret Service helps ensure cooperation). But “they’re all over the globe,” he said, and depending on the country, it can take days or even longer to stop the scammers.



The one bit of good news is that while it’s easy to steal account information, it’s a lot harder to use it, Cassidy said. You need to set up a system to charge the credit cards – often by creating fake merchant accounts – and secure the money before the banks’ fraud detection systems shut you down. That’s something a real pro can do, Cassidy said, but many of the spoofs being sent around the world are from “kids playing with kits.”



On the prevention side, consumer education also seems to be paying off. Bank of America, for example, which has been dealing with phishing for more than two years, sees “relatively few” successful attacks, according to spokeswoman Betty Riess.



“The more consumers are aware that these types of scams are out there, the fewer innocent victims there will be,” Riess said. Mignone and Cassidy both agreed. “I think it’s going to continue to grow, but over time the proportion of people who can be fooled by it will largely decline,” Cassidy said.



Nevertheless, Cassidy sees plenty of threats ahead. First of all, he said, hackers are now moving away from scams and toward automated systems that plant key loggers and data miners in your computer as soon as you open the e-mail. And organized crime is getting involved, bringing a wealth of extra resources to the table.



“That’s going to be harder to control,” Cassidy said. “It’s going to get more dangerous. That’s the thing that’s scary. … And what we’ve come back to is all those things we’ve been telling you for years: Keep your anti-virus up to date, get a firewall.”


For more information about phishing, go to www.antiphishing.com.



No posts to display