Caught in a phishing trap

Rise in online identity fraud has companies on the hook: Educate customers or lose them.

Matt Hines Staff Writer, CNET News.com
Matt Hines
covers business software, with a particular focus on enterprise applications.
Matt Hines
6 min read
For Steve Krabill, a 33-year-old Oklahoma engineer, the answer to phishing scams is simple: Trust nobody.

Faced with an online test that presents him with 10 different e-mails, some of which are examples of phishing scams, his answer is to label every single one a fake. Three turn out to be the genuine article--but in the engineer's mind, he's passed the test either way.

"Companies I do business with online don't send me e-mails looking for my personal information, it's that easy," said Krabill, who works at Osborn Engineering, a Tulsa-based maker of metal recycling equipment. "I know that I'm not going to get scammed if I don't reply to any of them."

Phishing is one of the fastest-growing forms of personal fraud in the world. While consumers are the most obvious victims, the damage spreads far wider--hurting companies' finances and reputation and potentially undermining consumer confidence in the safety of e-commerce.

"Phishers hijack brands for the purpose of fraud and degrade consumers' trust in those brands. That's what makes phishing so different than other types of online threats," Kim Legelis, director of industry solutions at security software maker Symantec, said.

The scammers typically send out an e-mail that appears to come from a trusted company such as a bank or an e-commerce Web site. The phishing messages attempt to lure people to a bogus Web site, where they're asked to divulge sensitive personal information. The attackers can then use those details to steal money from the victims' accounts.

According to a report from online privacy watchdog Truste, 7 out of 10 people who go online have received phishing e-mails, and 15 percent of those have successfully been duped into providing personal information.

The financial services industry has borne the brunt of those scams, an Anti-Phishing Working Group survey found, with Citibank leading the list of companies targeted. Online businesses such as eBay's Paypal online payment subsidiary and Google's Gmail Web mail operation have also suffered.

"For many of these financial services companies, and undoubtedly for e-commerce providers, the Web is a very important channel for acquiring new business, growing revenue, and mitigating costs for customer service," Legelis said. "If consumers lose confidence in that channel, it will have a wide-ranging negative impact on these businesses."

Companies are paying a hefty amount to fix phishing damage. In many cases, they make good on their customers' losses. Money is also going to efforts to educate customers about fraud prevention, and the cost of polishing up a tarnished brand is hard to estimate.

The threat to business means that's money well spent. In a recent study by e-mail security company MailFrontier, 40 percent of American consumers surveyed said they would switch to a bank or credit card company that offers better protection from online identity theft. Ninety-four percent said it's the responsibility of their financial institution to shield them from phishing and similar scams, and 52 percent felt that their providers are not doing enough to safeguard their information.

The multiple problems caused by phishing do not have a simple solution. Some businesses hope education will lead to more wary customers like Krabill. Others are pinning their hopes on jointly looking for technical solutions, such as address-verification schemes and software filters to sort valid e-mail messages from scams.

Cooperation across the IT and e-commerce industries has led to a number of trade organizations being launched to combat phishing. One is the Anti-Phishing Working Group (APWG), made up of experts from a range

of different organizations, including credit-trackers Experian, software giant Microsoft and credit card stalwart Visa.

Earlier this month, the group gave its endorsement to a global e-mail authentication strategy. It believes the project can help create technologies for Internet-protocol (IP) validation and digital signatures that will thwart spam and phishing attacks.

Phishing haul

Three successes in law enforcement's fight against online fraud.

Charged with: Using phishing scam to funnel money to Russian mob
Busted by: Massachusetts state authorities and U.S. Marshals
Charged: Nov. 9, 2004
Status: Held on $100,000 bail, awaiting trial
Charged with: Sending phishing e-mails that targeted customers of AOL and eBay
Busted by: Federal Trade Commission and the Department of Justice
Indicted: March 2004
Status: Pleaded guilty to multiple counts of fraud and was sentenced to almost four years in prison
Charged with: Sending phishing e-mails targeting customers of PayPal
Busted by: Minnesota state authorities
Charged: February 2004
Status: Pleaded guilty to multiple counts of fraud

Peter Cassidy, secretary general of APWG, said the group is trying to balance the interests of consumers and businesses in finding a way to protect both. He believes lessons learned from earlier fraud efforts are key to discouraging phishing.

"The rate that we're seeing phishing attempts increase by is currently 50 percent per month, and it's moving to new platforms such as peer-to-peer computing, which is pretty spooky to think about," Cassidy said. "We have to take the same approach that credit companies took in the 1970s when fraud was crippling the catalogue business."

One of the main thrusts of the general antiphishing effort is consumer education. The MailFrontier phishing test completed by Krabill does make its point--in many cases, the phishing e-mails generated by online criminals are very hard to discern from the real thing.

"Consumers simply have to become savvier about phishing and other forms of fraud," said Mike Cunningham, senior vice president of fraud management at Chase Card Services, the credit card services division of JPMorgan Chase. Financial services companies "can do everything in our power to quickly identify these attacks and shut down the Web sites. But getting the customer to know what to expect from a credit card issuer, and what to expect from these criminals, is what's truly going to make a difference."

At online auction site eBay, customer awareness is starting to take root, company spokesman Hani Durzy said. On eBay's message boards for registered customers, people frequently post details of emerging phishing campaigns before the company has heard about them, he said. In addition, more and more members are reporting fraud activity and are talking among themselves about it.

"Our community has been very vigilant about passing around information, and asking for each others' advice and opinions whether things are legitimate or spoofs," Durzy said. "Over the last two years, phishing has really exploded, but people are becoming more aware of the threat."

On the technology side, eBay employs a complex system of software applications designed to flag any activity on its site that indicates one of its users' accounts has been hijacked. Much like the fraud prevention systems used by credit card companies, the tools look for irregularities such as a dramatic change in location or in the size of bids.

In addition, eBay and its PayPal billing unit share a fraud investigation team, whose full-time job is to track down illegitimate operations using the PayPal and eBay names.

Industry efforts such as these and cooperation with law enforcement agencies has resulted in high-profile arrests and the prosecution of fraudsters such as Zachary Hill, who was sent to prison for almost four years in connection with an eBay scam.

Despite these successes and the push to improve technology, experts agree that the best way to foil phishing campaigns is to encourage more cautious consumers. JPMorgan's Cunningham emphasizes that people need to delete suspicious messages and to resist the urge to ever transmit personal data.

"Just don't do it, don't reply," he said. "It's really that simple."