Computer Crime Research Center


A Phish Story

Date: March 30, 2005
Source: US Banker
By: Michael Sisk

Phishing attacks, expected to more than double in 2005, are spreading to small banks. The dollar losses are still limited, but are the attacks undermining consumer confidence?

Down through the ages, con artists and scammers have always followed the money, so it should be no surprise that as e-commerce has gathered steam, the thieves have followed consumers onto the Internet. One of the most recent iterations of such scamming is known as phishing, which has grown in both scope and sophistication. And it's not just the Citibanks and Bank of Americas of the world that have to worry. Smaller banks are becoming just as vulnerable.

In a typical phishing attack, thieves send mass e-mails supposedly from reputable businesses, directing customers to a site where they are asked to divulge vital information, such as passwords, bank account numbers or credit card information. "Phishing has the potential to just wreck the system. That's the disturbing thing," says Ted Crooks, vp of identity protection solutions at Fair Isaac. "By creating a significant loss of confidence on the part of consumers, it could wreck a wide array of businesses that could otherwise use the Internet." The concerns that phishing could undermine confidence in the on-line channel prompted the Federal Deposit Insurance Corp., which says nearly one million U.S. adult Internet users reported being a phishing victim between April 2003 and April 2004, to suggest countermeasures for banks. Consumers are attributing risk to their use of the Internet to conduct financial transactions, and many experts believe that electronic fraud, especially account hijacking, will have the effect of slowing the growth of on-line banking and commerce.

TowerGroup estimates that direct fraud losses attributable to phishing will top $137.1 million globally in 2004, a figure far below widely cited levels of $1 billion and just a fraction of the total fraud at banks. TowerGroup predicts the number of phishing attacks will top 31,300 in 2004 and rise to more than 86,000 by 2005 as they spread to smaller institutions, new merchant/service-provider categories, and new global markets.

George Tubin of TowerGroup says $137 million is "a drop in the bucket," compared to other types of fraud. He notes, there's not been a net change in fraud, intimating that phishing has not attracted new fraudsters so much as enticed established scammers to switch tactics. "Real losses aren't out of control," agrees Jim Van Dyke, a principal analyst at Javelin Strategy and Research. "If phishing and spoofing were causing runaway losses, there would be dramatic change [in banks' approach]. But it's not a problem resulting in runaway losses and it's not causing a decrease in the number of users."

Runaway losses or not, bank executives say they are responding forcefully and preemptively to the prospect of phishing attacks. Key to their efforts is education of the consumer. "We've spent quite a bit of time and money educating customers," says Patrick Ruckh, evp and CTO of First Tennessee, which underscores to customers that it would never ever ask for account information or social security numbers via the Internet.

Alecia Kontzen, director of risk for e-commerce at Wachovia, says her bank has also leaned heavily on consumer education to head off phishing attacks, with a rotating marketing campaign on the company's Web site that has recorded significant hits. Equally important to consumer education is employee education, she says. "Employees need to know how to respond," she says. "To whom do they give the information from a consumer? There needs to be an effective escalation process in place." It's vital to include the entire organization-consumer advocacy, investor services, corporate communication, risk and legal departments-and not simply dump the issue in one group's lap.

While many like Wachovia and First Tennessee consider education vital, some say it's problematic. Even Van Dyke, who says the industry must "bring in customers to be part of the fight," acknowledges that banks seem to be "scaring customers" in the way they educate. "[It's] a double-edged sword," says Tubin. "A lot of consumers still don't know about phishing, and you need to talk about it. It is a real threat. But you don't want to raise fears." Ultimately, argues Crooks, "the education of the consumer is simply not a successful course." Phishers adjust their strategies and improve their technology too fast. The general public "will never be smart enough" to keep up, he says.

Nevertheless, Kontzen says the industry can't shy away from education, but must tackle it head on. "The biggest challenge is how to communicate with customers without reinforcing that the on-line channel is not where you should do business."

Phishing, more than anything, is a percentage game. Because of the wide, low-cost reach of the Internet, phishers can deploy low-percentage strategies to millions of people so cheaply that a strategy based on a one percent hit rate is worthwhile. Take Citigroup, for instance, which has relationships with about two percent of the nation's population. A mass e-mail, mimicking a Citi Web site, has a two percent "connection rate." For sure, the "response rate" of actual Citi customers to the phishing e-mail will be lower than that two percent, and the number that actually suffers a loss will be smaller still, but some small sub percentage will, and it will have cost the phishers virtually nothing to try.

Crooks says that "the level of cleverness is disturbing." He notes how in one phishing scheme, phishers sent out an e-mail that requested sensitive information and to prove to customers the request was legitimate included two numbers the phishers said were the last two digits of each customer's account number. As Crooks points out, a random two-digit combination has a one in 100 chance of being right, so if a phisher sent such an e-mail to one million users, 10,000 people's accounts will match those two numbers.

"The reason there's been such an explosion in phishing attacks is that the equation works," says Naftali Bennett, CEO of Cyota, a security and anti-fraud security provider. "It's easy to do, the risk of getting caught is tiny and there's plenty of reward."

Phishing is easy, in part, because international jurisdictions are beyond the reach of U.S. criminal prosecution. The Ukraine, the Stans, and several areas of Southeast Asia and Africa are bastions of phishing. A year ago, most attacks were launched within the U.S., but today two-thirds are launched from overseas. A do-it-yourself phishing kit can be purchased on-line for a mere $270, he says. And Kiev has been the site of two phishing conventions sponsored by, where people could learn all about ID fraud and buy and sell credit card numbers, Fair Isaac's Crooks says. Security at the last of the conventions was provided by the Kiev police.

This phishing network has drawn talented but risk-averse techies, often professionals from economically depressed areas like Eastern Europe and Russia, who phish for account numbers and sell them anonymously over the Web to others who use the data to commit the fraud; the techies are insulated from direct criminal involvement in fraud.

Even if monetary losses from phishing have not yet been substantial, industry watchers agree that a far greater danger is lost consumer confidence in the Internet channel. "The danger is the loss of confidence," says Jim Maloney, chief security executive for Corillian, an on-line banking technology provider. "And if the adoption of the on-line channel slows, that's not going to help anyone." Corillian has teamed with four other vendors to create the Anti-Fraud Alliance: Symantec Corp., specializing in information security; NameProtect, which provides digital fraud detection; PassMark Security, which developed a two-way, two-factor authentication system; and Internet Identity, which specializes in Internet presence control. Gartner analysts Avivah Litan and John Pescatore, who surveyed 5,000 on-line U.S. adults last year, conclude that 57 million U.S. adults believe they had received a phishing e-mail attack by mid-2004.

"The increasing incidence of phishing and other malicious attacks against on-line consumers are eroding consumer trust in the safety of on-line transactions," Litan and Pescatore write in a research note. "This hurts everyone in the e-commerce chain. The analysts say attacks are spreading across the banking industry, with national and regional banks becoming common targets. "Banks and other service providers must act now to protect their brand images, reputation and credibility with consumers," the pair say. "Only 22 percent of consumers believe their banks are extremely competent in protecting their information."

Some bank executives say that when it comes to phishing, they're all in it together. "This is not a competitive issue," says Ruckh of First Tennessee, which he says is "very active" in the Anti-Phishing Working Group. "We've got to cooperate with our compatriots in the industry." Ruckh recalls recently receiving a phishing e-mail involving a rival institution and immediately alerting the firm with a phone call. "The whole banking industry is based on trust and when that is compromised everyone suffers," he says. "That's why it's important to cooperate."

The FDIC stresses the need for banks to adopt new procedures and technologies. "Fraudsters are taking advantage of the reliance on single-factor authentication for remote access to on-line banking, and the lack of e-mail and Web site authentication, to perpetrate account hijacking," the agency wrote in its recent report. "Financial institutions and government...
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo