It begins with an e-mail. You look at your inbox and see a message that appears to be from Citigroup Inc. or Bank One Corp. or eBay Inc. The message includes a link. The e-mail instructs you to click on the link and enter the appropriate information-either a personal identification number, a user
ID/password, or Social Security number-in order to verify an account, use an automated teller machine or for other reasons.
A savvy consumer might realize something is amiss. Perhaps she doesn't have an account with the bank that supposedly sent the message, or words are misspelled or the sender's e-mail address doesn't look right.
But enough consumers fall for this ploy-called phishing-to make this one of the newest ways to lure customers into giving up information about themselves. And once she e-mails back that personal identification number or password, she
could become a victim of identity theft or another type of fraud. With phishing on the rise, financial institutions are working on ways to protect customers from these scams and security software vendors are trying to figure out how to
combat the problem.
Phishing, pronounced fishing, is a hacker term for luring "fish," that is, gullible consumers, into providing account information or financial data, according to the Anti-Phishing Working Group. Phishers especially like to
dress their e-mails up as letters from financial institutions. Citi's Citibank, American Express Co. and Visa have been hit with repeated attacks, the Working Group reports.
This scam has been around since the mid-1990s, but has become more prevalent in the past year. In the recent holiday season phishing attacks jumped 400%, according to the Working Group, which is comprised of software vendors,
Internet service providers and financial institutions. It estimates more than 60 million phishing e-mails were sent out during the season. In January, unique phishing attacks jumped another 52%, the group reported.
Stronger authentication systems would prove one antidote to phishing, says Dave Jevans, co-chairman of the Working Group. Jevans is also a senior vice president at Redwood City, Calif.-based Tumbleweed Communications Corp., a
provider of online communications software.
"The only sure-fire, 100% way to stop it is strong authentication and to give people a smart card or secure token to log-in with," he says.
The estimated $100 to $150 per-person price tag on that approach probably makes it cost-prohibitive, so consumer education may be the best place to begin, says Jevans.
Bank One is going the educational route, says Chris Conrad, senior vice president, fraud management. The Chicago-based bank's home page carries information on the latest phishing scams, displays examples of fraudulent e-
mails, and gives consumer protection tips, Conrad says.
Bank One and other financial institutions also look for domain names set up with the intent of attracting their customers, including spoofed names citibankonline.com and
A number of vendors have introduced products designed to stop, and possibly catch the phishers. Systems from San Francisco-based Brightmail Inc. and the United Kingdom-based Netcraft scan the Internet for potential scammed domain
names. Tumbleweed offers a service that digitally "signs" e-mails so a recipient will know the message is coming from a legitimate firm.
In February, PassMark Security LLC introduced PassMarks, a photo image that acts as a password to the consumer's password at the financial Web sites they use. Palo Alto, Calif.-based PassMark is led by Bill Harris, former chief
executive of Intuit Inc. and PayPal Inc.
A consumer can visit her card issuer's Web site and select a photo image from PassMark's bank of 100,000 images. That image will be displayed to the consumer every time she begins the log-on process at her issuer's site. If she
confirms the image, the consumer will be prompted to enter her password. The issuer can also include the image whenever it sends an e-mail to the consumer, says Harris.
New York City-based Cyota Inc., a security software provider, rolled out FraudAction in January to detect attacks as they occur, says Naftali Bennett, chief executive officer. "The banks are in the dark during the attacks," he
says. "They don't know until it's too late, and then they don't know who's been hit."
FraudAction also tracks the length of the attack, where it happened, the estimated size of the fraud, and whether it was a high- or low-quality attack, says Bennett.
Cyota will also recommend a response to the attack. That might mean disregarding an unsuccessful attack, or it may tell the bank to shut down its site and notify customers of any potential risk, Bennett says. The recommendation depends on how large the attacks are and how many consumers respond to the phishing expedition. "We've seen response rates from
5% to 20%," he says.
Authoritative analysis and perspective for every segment of the payments industry
Authoritative analysis and perspective for every segment of the industry
Have an account? Sign In