Though the share of phishing e-mails attacking banking companies’ brand names has fallen, banks’ losses to fraud are climbing — and the overall volume of fake e-mails has surged.
Security analysts say the surge in fake e-mails has come in the months before federal guidelines calling for stronger online authentication take effect (on Dec. 31). Though many banks are using anti-fraud tools to protect their own brands, these tools are often ineffective when consumers are fooled by e-mails using other companies’ brands, and the banks often remain liable for the losses.
The Anti-Phishing Working Group, a trade group that tracks phishing attempts, said it has seen a near doubling in fake e-mails since a year ago.
Most of the increase took place in the summer. The number of attacks surpassed 20,000 in May and shot to an all-time high in June of 28,571, before dipping to 26,150 in August.
But as the volume goes up, an analyst said, criminals are less likely to focus on banks. An August survey of 5,000 U.S. adults with Internet access by the Stamford, Conn., market research company Gartner Inc., said 30% of the sample had received a phishing e-mail using a bank’s name, compared with 34% in 2005. The top phishing target in both years was PayPal Inc., whose name had been used in fake e-mails received by 47% of the sample last year and 61% this year.
Banks’ overall losses to phishing are on the rise, whether or not their brands are the ones targeted, Gartner said, because the victims will usually turn to their banks. Gartner found that consumers who manage to recover some of their losses to phishers are reimbursed by banks 42% of the time, compared with 55% last year. Overall phishing losses are way up, from $600 million last year, to an estimated $2.8 billion this year.
Avivah Litan, a vice president and the research director at Gartner, said that, because banks are being targeted less, they are on the hook for a smaller percentage of fraud losses, but the near quintupling in overall phishing losses means that banks’ dollar losses are growing.
“Plain old phishing is doing pretty well,” she said. “Online banking is not targeted as much as it used to be,” but “everything [else] went up.”
Brad Keller, the e-commerce business risk manager at Wachovia Corp., said his company is responding to the increased variety of phishing attempts by undertaking “a sweeping update of the information on our Web site” that will be completed by yearend.
David H. Stone, Wachovia’s director of online customer experience and support, said the Charlotte banking company had “seen an increase of phishing e-mail, kind of midsummer, very focused on Wachovia.”
One reason for the increase in phishing activity, he said, is probably the impending deadline set by the Federal Financial Institutions Examination Council for banks to strengthen their online security. The guidelines call for using more than just the standard user name and password combination to protect online banking accounts, which could make things more difficult for phishers. Many phishers ask victims to reveal their online banking passwords, but once the guidelines take effect, this information may not be enough for phishers to steal money.
“We think they’re stepping up their efforts to get as much as they can done before that happens,” Mr. Stone said.
“We’ve actually been very successful at identifying” the attacks that use Wachovia’s name, Mr. Keller said, and the “amount of additional losses are much, much smaller” than the corresponding increase in fraud attempts.
Christopher Leach, the chief information security officer at First Horizon National Corp. in Memphis, said that the Office of the Comptroller of the Currency has advised banks that the impending FFIEC deadline may prompt even more phishing attacks.
Mr. Leach said he anticipates a seasonal uptick in phishing during the holiday months, when many people make more online purchases, which could make them easier targets for fraudsters.
Walter Latinik, a vice president and the manager of online financial services at First Horizon, said its name was used in a steady stream of phishing attacks until June, when it strengthened its online authentication method for retail customers.
“Since that point, we’ve seen a significant decrease,” he said, “and I think the two-factor authentication component has really served to filter out the phishers.” First Horizon asks a “challenge” question and presents what it calls a trustword before asking for the password.
Phishers are “going to go to where they see something they can exploit for the quick hit and move along,” he said. “The multifactor mandate was for the banking world, so I think they’re going to move on to other areas that are less secure.”
But Mr. Leach said he is under no illusion that this problem has been solved. Despite the new security guidelines, he said, “in some way, shape, or form, phishing is going to be around for a while.”
Sara Bettencourt, a spokeswoman for PayPal, said her company’s size makes it a big target. However, its users have gotten very good at detecting and reporting phishing e-mails, she said, so phishers might “have to send out more because less people are falling for it.”