Financial institutions and technology purveyors in the past month have launched a slew of new tools and initiatives to combat "phishing"—the fastest growing Internet scam targeting cardholders. When BTN first reported on the rapidly expanding fraud, only a handful of preventative measures were available, and consumer education was foremost among them
(BTN, July 19, 2004). Yet, new tech-based solutions have ballooned, much like phishing itself.
Through the scam, hackers take on the guise of established banking institutions and spam e-mails to account holders, luring consumers to seemingly authentic sites to update or correct account information. Then the hackers steal that information.
To combat the fraud, some companies are going after the bait. Symantec last month launched Symantec Online Fraud Management Solution, which blocks fraudulent e-mails while alerting financial institutions "that its customers are under attack," the company said in a statement.
Symantec said it uses a "probe network and millions of decoy accounts" to attract suspicious e-mails to researchers, "who analyze the messages, identify fraud attacks and create and automatically deploy anti-fraud filters to block the fraudulent e-mails."
In addition to blocking e-mails, the company takes steps to shut down the sites where hackers hope cardholders will turn over credit card information, personal identification numbers, social security numbers and other personal identifiers. Once an e-mail is identified as phishing-related, the company follows the link to the phony site, alerting banking institutions and law enforcement officials to shut down the site. The company said its system so far has reached 300 million e-mail users.
Other tech firms have taken a similar approach as Symantec to target spam. Earthlink, Netriplex and many other tech firms boast spam filters that help snag the bait offered by phishers. However, other firms go after the sites where cardholders hand over information. Webroot Software last month released Phish Net, a free downloadable offering that monitors fraudulent sites and warns users when they enter suspicious terrain. The software flags such sites, blacklists them and warns potential phishing victims when they visit such a site.
Still, the Financial Services Technology Consortium—a financial industry research organization comprising banks, financial service firms, industry partners, national laboratories, universities and government agencies—is reluctant to promote any one approach as the panacea.
"There is no silver bullet," said Gene Neyer, Financial Services Technology Consortium security and infrastructure managing executive. "Spam blockers catch a large proportion of them. We also look at solutions from vendors that employ things like blacklists that catch a well-known ID. That covers a large portion of phishing, but we don't see phishing as purely a spam e-mail problem."
FSTC this month launched a widespread counter-phishing initiative, joining forces with a variety of financial institutions, technology firms and others concerned with phishing to look at every angle of the problem and devise the best solutions to shutting it down. Neyer said phishing is a crime committed on many levels, from the initial e-mail, to the fraudulent site and the ultimate selling or use of stolen information.
"We view phishing as a life cycle," Neyer said. "Someone who wants to commit this fraud has to go through a planning phase, then they have to lure people into giving them information, then they need to set up the machinery—the phony Web sites, the e-mails, for example—then they need to execute that. Once they get the information, they need to figure out a way to monetize what they've stolen. And there's a market in selling phished credentials. We're working with people who attack every point in the life cycle."
While still in its early phases, the organization hopes to stay as savvy as the hackers to determine the best solution to every phase of the phishing cycle, and ultimately hopes to determine the best solutions to combating fraud.
Although new and improved opportunities continue to emerge for companies and cardholders to defend themselves against phishing, hacker discipline is an ever-growing threat to Internet and financial security.
According to the Computer Crime Research Center, an independent institute that researches cyber crime, the guise of all major banks and charge card issuers have been used in phishing scams. These include all of the major players in the commercial card and corporate banking spaces: American Express, Bank of America, Bank One, Citibank and US Bank, among many others.
Market research firm Gartner Group Inc. in April estimated that 57 million adults in the United States have received an e-mail through which fraudsters have attempted to extract charge card data. Gartner estimated nearly one in five of those followed phony links from an e-mail and up to 1.78 million people gave fraudsters their personal, financial or credit card data.
The numbers probably are even higher now. The number of phishing attacks rose from 116 in December 2003 to 1,422 in June 2004, which represents the latest data on the scam.
"The Anti-Phishing Working Group has consistently found that the financial services industry is the most targeted sector for phishing attacks, with an average of more than 35 reported unique phishing attacks per company in June 2004," said Peter Cassidy, APWG secretary general. "All indications from the field are that the threat continues to grow apace, with new innovations and approaches being developed by phishers appearing seemingly every week."