Corillian Corp. announced last week that it would offer financial services companies an anti-fraud service designed to spot potential con artists before they approach their victims.
The Portland, Ore., Internet banking software vendor’s Fraud Detection System has been available to its online banking software customers for the past year, but Corillian says it is now trying to reach a wider market.
Just as a credit card company can analyze transaction activity to flag odd activity on a stolen account, this service detects potential cybercrimes by looking for people who are trolling through bank Web sites to create bogus replicas.
“The pattern of somebody coming in to look at images and the structure of the site is very different from somebody coming in to do online banking,” said Jim Maloney, Corillian’s chief security executive.
Someone looking at a site’s structure might be taking notes for a phishing scheme, he said. Phishing, a tactic increasingly used in cybercrime, involves e-mails that purport to be from a bank and typically link to bogus but convincingly constructed Web sites, where customers reveal their account information to criminals.
When crooks begin the research for building a fake site, their activity can be quite obvious in a company’s Web activity logs, Mr. Maloney said. “What we’ll see is them collecting information and looking at pages in a pattern that is very different from a typical log-on.”
Phishing scams will cost banks between $100 million and $400 million this year, according to a study issued last week by Financial Insights, a Framingham, Mass., research unit of International Data Group.
An earlier study from the Stamford, Conn., market research company Gartner Inc., came up with a $1.2 billion price tag for losses by phishing victims in the 12-month period that ended in April. But Avivah Litan, a vice president and research director at Gartner, said that figure includes losses phishing victims incur from other thefts — these victims, she said, are three times more likely than the average citizen to becoming a victim of another type of fraud.
Sophie Louvel, a research analyst with Financial Insights, said Corillian’s service “is definitely a step in the right direction, and all service providers should be looking to them as an example.”
Neither analyst knew of any companies using a similar approach for detecting phishers.
Ms. Louvel said other companies with anti-phishing offerings, including Cyota Inc., and eMarkMonitor Inc., try to spot potential fraud sites by searching for people creating Web sites whose names resemble those of official bank sites. When vendors find a fraudulent site, they can flood it with false account information, to make it hard for the criminals to find the real information they may get from legitimate account holders.
Phishers typically make $1,000 to $1,500 from each victim, primarily because they target online banking users, she said. These people tend to be affluent, and usually keep more money in Web-linked accounts, which they use to pay bills.
Mr. Maloney said Corillian’s service can also detect when a fake site links to a legitimate one to borrow images and text.
“There will be links back to the original site for things like the logo and the privacy statement,” he said. “It’s easier and faster to refer back to the original links” than to copy and store these items on the spoof site.
Ms. Litan said that culling images directly from a bank site helps keep the scam current with minimal effort for the crook. “If anything changes, they can get the new logo” automatically.
Mr. Maloney said another common tactic is for a fake site to include a link that takes visitors back to the legitimate site after they have submitted their information. Doing this can help allay a victim’s suspicions, but it also shows up on the real site’s log, which Corillian can use to detect where the fake site is hosted — a critical step in shutting it down. The bank can also use the log to identify which customers were referred to the real site from the fake one.
Many detection services set up e-mail accounts to catch spam, then filter those e-mails to determine which were sent by con artists. But Ms. Litan said banks don’t need vendors to simply tell them someone is setting up a fraudulent site. Banks “tend to catch the sites faster than any of these services,” because their employees and customers alert the bank the moment they receive a suspicious e-mail.
Anti-fraud offerings “are not so much needed to catch phishers,” she said. “They’re needed to stop phishers any way they can.”
