Phishing attacks, expected to more than double in 2005, are spreading to small banks. The dollar losses are still limited, but are the attacks undermining consumer confidence?
Down through the ages, con artists and scammers have always followed the money, so it should be no surprise that as e-commerce has gathered steam, the thieves have followed consumers onto the Internet. One of the most recent iterations of such scamming is known as phishing, which has grown in both scope and sophistication. And it's not just the Citibanks and Bank of Americas of the world that have to worry. Smaller banks are becoming just as vulnerable.
In a typical phishing attack, thieves send mass e-mails supposedly from reputable businesses, directing customers to a site where they are asked to divulge vital information, such as passwords, bank account numbers or credit card information. "Phishing has the potential to just wreck the system. That's the disturbing thing," says Ted Crooks, vp of identity protection solutions at Fair Isaac. "By creating a significant loss of confidence on the part of consumers, it could wreck a wide array of businesses that could otherwise use the Internet." The concerns that phishing could undermine confidence in the on-line channel prompted the Federal Deposit Insurance Corp., which says nearly one million U.S. adult Internet users reported being a phishing victim between April 2003 and April 2004, to suggest countermeasures for banks. Consumers are attributing risk to their use of the Internet to conduct financial transactions, and many experts believe that electronic fraud, especially account hijacking, will have the effect of slowing the growth of on-line banking and commerce.
TowerGroup estimates that direct fraud losses attributable to phishing will top $137.1 million globally in 2004, a figure far below widely cited levels of $1 billion and just a fraction of the total fraud at banks. TowerGroup predicts the number of phishing attacks will top 31,300 in 2004 and rise to more than 86,000 by 2005 as they spread to smaller institutions, new merchant/service-provider categories, and new global markets.
George Tubin of TowerGroup says $137 million is "a drop in the bucket," compared to other types of fraud. He notes, there's not been a net change in fraud, intimating that phishing has not attracted new fraudsters so much as enticed established scammers to switch tactics. "Real losses aren't out of control," agrees Jim Van Dyke, a principal analyst at Javelin Strategy and Research. "If phishing and spoofing were causing runaway losses, there would be dramatic change [in banks' approach]. But it's not a problem resulting in runaway losses and it's not causing a decrease in the number of users."
Runaway losses or not, bank executives say they are responding forcefully and preemptively to the prospect of phishing attacks. Key to their efforts is education of the consumer. "We've spent quite a bit of time and money educating customers," says Patrick Ruckh, evp and CTO of First Tennessee, which underscores to customers that it would never ever ask for account information or social security numbers via the Internet.
Alecia Kontzen, director of risk for e-commerce at Wachovia, says her bank has also leaned heavily on consumer education to head off phishing attacks, with a rotating marketing campaign on the company's Web site that has recorded significant hits. Equally important to consumer education is employee education, she says. "Employees need to know how to respond," she says. "To whom do they give the information from a consumer? There needs to be an effective escalation process in place." It's vital to include the entire organization-consumer advocacy, investor services, corporate communication, risk and legal departments-and not simply dump the issue in one group's lap.
While many like Wachovia and First Tennessee consider education vital, some say it's problematic. Even Van Dyke, who says the industry must "bring in customers to be part of the fight," acknowledges that banks seem to be "scaring customers" in the way they educate. "[It's] a double-edged sword," says Tubin. "A lot of consumers still don't know about phishing, and you need to talk about it. It is a real threat. But you don't want to raise fears." Ultimately, argues Crooks, "the education of the consumer is simply not a successful course." Phishers adjust their strategies and improve their technology too fast. The general public "will never be smart enough" to keep up, he says.
Nevertheless, Kontzen says the industry can't shy away from education, but must tackle it head on. "The biggest challenge is how to communicate with customers without reinforcing that the on-line channel is not where you should do business."
Phishing, more than anything, is a percentage game. Because of the wide, low-cost reach of the Internet, phishers can deploy low-percentage strategies to millions of people so cheaply that a strategy based on a one percent hit rate is worthwhile. Take Citigroup, for instance, which has relationships with about two percent of the nation's population. A mass e-mail, mimicking a Citi Web site, has a two percent "connection rate." For sure, the "response rate" of actual Citi customers to the phishing e-mail will be lower than that two percent, and the number that actually suffers a loss will be smaller still, but some small sub percentage will, and it will have cost the phishers virtually nothing to try.
Crooks says that "the level of cleverness is disturbing." He notes how in one phishing scheme, phishers sent out an e-mail that requested sensitive information and to prove to customers the request was legitimate included two numbers the phishers said were the last two digits of each customer's account number. As Crooks points out, a random two-digit combination has a one in 100 chance of being right, so if a phisher sent such an e-mail to one million users, 10,000 people's accounts will match those two numbers.
"The reason there's been such an explosion in phishing attacks is that the equation works," says Naftali Bennett, CEO of Cyota, a security and anti-fraud security provider. "It's easy to do, the risk of getting caught is tiny and there's plenty of reward."
Phishing is easy, in part, because international jurisdictions are beyond the reach of U.S. criminal prosecution. The Ukraine, the Stans, and several areas of Southeast Asia and Africa are bastions of phishing. A year ago, most attacks were launched within the U.S., but today two-thirds are launched from overseas. A do-it-yourself phishing kit can be purchased on-line for a mere $270, he says. And Kiev has been the site of two phishing conventions sponsored by carderplanet.com, where people could learn all about ID fraud and buy and sell credit card numbers, Fair Isaac's Crooks says. Security at the last of the conventions was provided by the Kiev police.
This phishing network has drawn talented but risk-averse techies, often professionals from economically depressed areas like Eastern Europe and Russia, who phish for account numbers and sell them anonymously over the Web to others who use the data to commit the fraud; the techies are insulated from direct criminal involvement in fraud.
Even if monetary losses from phishing have not yet been substantial, industry watchers agree that a far greater danger is lost consumer confidence in the Internet channel. "The danger is the loss of confidence," says Jim Maloney, chief security executive for Corillian, an on-line banking technology provider. "And if the adoption of the on-line channel slows, that's not going to help anyone." Corillian has teamed with four other vendors to create the Anti-Fraud Alliance: Symantec Corp., specializing in information security; NameProtect, which provides digital fraud detection; PassMark Security, which developed a two-way, two-factor authentication system; and Internet Identity, which specializes in Internet presence control. Gartner analysts Avivah Litan and John Pescatore, who surveyed 5,000 on-line U.S. adults last year, conclude that 57 million U.S. adults believe they had received a phishing e-mail attack by mid-2004.
"The increasing incidence of phishing and other malicious attacks against on-line consumers are eroding consumer trust in the safety of on-line transactions," Litan and Pescatore write in a research note. "This hurts everyone in the e-commerce chain. The analysts say attacks are spreading across the banking industry, with national and regional banks becoming common targets. "Banks and other service providers must act now to protect their brand images, reputation and credibility with consumers," the pair say. "Only 22 percent of consumers believe their banks are extremely competent in protecting their information."
Some bank executives say that when it comes to phishing, they're all in it together. "This is not a competitive issue," says Ruckh of First Tennessee, which he says is "very active" in the Anti-Phishing Working Group. "We've got to cooperate with our compatriots in the industry." Ruckh recalls recently receiving a phishing e-mail involving a rival institution and immediately alerting the firm with a phone call. "The whole banking industry is based on trust and when that is compromised everyone suffers," he says. "That's why it's important to cooperate."
The FDIC stresses the need for banks to adopt new procedures and technologies. "Fraudsters are taking advantage of the reliance on single-factor authentication for remote access to on-line banking, and the lack of e-mail and Web site authentication, to perpetrate account hijacking," the agency wrote in its recent report. "Financial institutions and government should consider a number of steps to reduce on-line fraud, including upgrading existing password-based single-factor customer authentication systems to two-factor authentication; using scanning software to proactively identify and defend against phishing attacks. The further development and use of fraud- detection software to identify account hijacking, similar to existing software that detects credit card fraud, could also help to reduce account hijacking; strengthening educational programs to help consumers avoid on-line scams, such as phishing, that can lead to account hijacking and other forms of identity theft and take appropriate action to limit their liability; and placing a continuing emphasis on information sharing among the financial services industry, government, and technology providers."
Acknowledging the reality of what consumers will and will not do, Associated Bank, a $20 billion bank in Green Bay, WI, has implemented a voice biometric technology from Authentify to securely pass sensitive information to customers via the Internet. By logging onto the Web site to receive a PIN, a phone call is activated to the customer's home or office. When the customer answers the phone, the voice biometric verifies that it is the customer and not a phisher requesting the PIN. This confirmation doesn't require the customer to do anything out of the ordinary. It requires no training, no cost and no software installation.
Peter Tapling, CEO of Authentify, says "the challenge of all on-line transactions is that the endpoint is a computer. We enable the endpoint to be a human. We tie the human being to the Internet transactions and anchor the transaction in the real world. A good phisher can get information, but not if one of the requirements of getting that information is physically sitting in the person's home and answering the phone." Tapling says Authentify's technology, which is also being used by Bank of America to deliver digital certificates for commercial customers, is most often used during high-value transactions, such as first-time interactions and account-control changes.
Leonard Rowe, corporate svp and director of e-business at Associated Bank, says that "customers wanted instant gratification" when it came to getting PINs, which resulted in many time-consuming, expensive calls to the call center. "Voice biometrics was the only legitimate ID technology with a legitimate business case," he says. Specifically, the infrastructure was in place, it is easy to use, and customer acceptance is high. A retinal scanner, by comparison, fails on all these points, he says. Retinal scanners would have to be installed at all customers' homes and at the bank, and then the customers would have to put their eyes in the laser. "If you ask customers, 'which do you prefer, put your eye in a laser, or talk on the phone?' Guess what they're going to say."
Authentify's product is but one example in the wave of technology being released to combat phishing. "There's a ton of great stuff out there," says TowerGroup's Tubin. "The path of phishing attack is being combated at every stage."
Gene Neyer, head of the Financial Services Technology Consortium's counterphishing effort, says "phishers are nimble, but the people defending the channels are nimble as well. The situation is not dire, but we cannot afford to relax at all."
To that end, Corillian's Fraud Detection System can detect when phishers are building a fake Web site and preparing for an attack. By reading Web logs, "we can see phishers coming to a site and see indicators of phishers building a site before e-mails are launched," Maloney says. The technology processes 3,000 Web log lines per second. A typical Web log generates one million to five million lines per day, with each line composed of 21 fields.
Meanwhile, Falcon ID's capabilities include the real-time sharing of critical information between companies in the same industry and across different industries to detect when an identity is compromised. The technology evaluates transactions throughout the customer lifecycle, and detects identity fraud at any point when an identity is susceptible to compromise-such as account activation and management.
When a phishing attack is launched, often the most pressing need for the impersonated bank is to take down the site. A year ago this would have taken several days, but the industry has quickly moved to close this window. Cyota's FraudAction is an anti-phishing service that includes real-time alerts, detailed severity assessment, site shutdown services, forensics and proprietary countermeasures. It is used by five top U.S. and British banks, including Barclay's Bank of Britain. Bennett, Cyota's CEO, says the company has lowered the lifespan of a typical phishing site to five hours, compared to an industry average of 6.4 days.
One novel phishing countermeasure utilized by Cyota is bombarding the phishing Web site with bogus customer information. "It looks like real user names and passwords, but it's just a hodgepodge," Bennett says. It compromises the phisher's data, making it a painstaking process to sort out the legitimate accounts. "We want to change the equation for them. We want to make it harder to use the data and put them at risk of selling bad data to their customers," Bennett says.
Industry watchers say phishers will continue to increase their sophistication. Of particular concern are new Trojan horses that infect consumer computers and steal data and passwords by observing keystrokes without the consumer knowing their security has been compromised. Also, as larger banks become more adept at staving off attacks, phishers are likely to move downstream and attack regional and mid-sized banks that haven't been as vigilant in counterphishing measures. Bennett notes one mid-sized bank that was attacked 10 times in August and 283 times in October. One of his top-10 bank clients, by comparison, was attacked 107 times in October. "Phishing has become a problem overnight because it has leveraged the infrastructure of spam," says the FSTC's Neyer. "And like spam, the concern is that with phishing every countermeasure spurs technology to get around the countermeasure. Unfortunately, scams that rely on social engineering can never be eliminated, but practical, tactical strategies can be put in place."
