sign in sign up
<<
Home , Internet fraud, Pharming, Phishing

news from the bank

Phishing and : Helping Consumers Avoid by Dawn Hicks Federal Reserve Bank of Boston Photodisc/Getty Images Gone are the days when consumers The Crimes e-mail message contains viruses, or had to step outside to purchase groceries, lures consumers into Trojan horses, that install small book flights and vacations, rent or pur- divulging their personal financial infor- programs on the user’s computer—a chase cars, or just transfer money mation to fraudulent web sites, also good reason to advise everyone to get between bank accounts. Today, they can known as spoofed web sites. The phisher . The pharming e-mail simply grab their checkbooks, debit may send an unsuspecting victim an e- installs the stealth application so that cards, or credit cards, sit down at a com- mail with a link to a fraudulent bank site. whenever the consumer tries to visit the puter in the comfort and safety of their The e-mail instructs the recipient to click official web site of an organization, the homes and complete such transactions on the supposed bank’s link to confirm program redirects the browser to the with and personal identifica- personal account information. Often the pharmer’s fake web site.1 Thus, instead tion numbers, or PINs. Thanks to message sounds plausible, describing a of going phishing for by advances in technology, the types of problem that feels serious to victims. To luring victims through a web link, the transactions they can now complete straighten out, say, a purported overdraft, pharmer harvests information that the online are seemingly endless. trusting customers provide PIN numbers oblivious victim enters into the counter- Unfortunately, the increase in online or passwords. The phisher can then use feit web site. transactions has been accompanied by an that personal data to clean out bank And that’s not all. The latest form increase in online identity . accounts or commit other of pharming doesn’t even require e-mail. Moreover, fraudulent access to personal Pharming is more sophisticated. The Anti-Phishing Working Group information over the Internet is increas- Pharmers also send e-mails. However, the (APWG) reports that -stealing ingly sophisticated. Two forms of identi- consumer can be duped by the pharmer Trojan horses can attack through ty theft, phishing and pharming, are at the without clicking on a link or opening an Messenger using something forefront of this Internet piracy. attachment. Simply opening the e-mail called keyloggers. Keyloggers are viruses message does the damage. The pharming that track a user’s keystrokes on

Communities&Banking 29 legitimate sites and steal passwords.2 financial institutions tend to be more determine when they are on the authen- Victims who use the same password on vulnerable to attacks because they tic site.9 Bank of many sites thus expose themselves to have fewer resources to employ large America also implemented a personal multiple . security teams or implement effective digital-image system. The customer security systems. chooses a “secret image” for logging on to The Impact The financial loss to consumers and the web site, and if the secret image does The APWG estimates that phishing institutions can be tremendous. Gartner, not appear when he or she goes to an attacks grew by an average of 36 percent Inc., a Stamford, -based apparently authentic Bank of America between July 2004 and October 2004. research and advisory firm, conducted a site, it is a fake site. Between August 2004 and October survey on phishing and identity theft in 2004, the number of new and unique May 2005. The study revealed that 1.2 Frederick Stakelbeck phishing e-mail messages more than million Americans lost a total of $929 of the Federal Reserve tripled from 2,158 to 6,597.3 The million in the previous year because of APWG also reports that the leading geo- phishing.6 And in his study “Phishing: A Bank of Philadelphia graphic location for phishers is the Growing to Financial Institutions determined that a typical , with 32 percent of the and E-Commerce,” Frederick W. world’s phishing sites.4 Stakelbeck, Jr., of Philadelphia’s Federal phishing attack can cost a As much as 81 percent of all phish- Reserve Bank determined that a typical financial institution ing attempts made by January 2005 were phishing attack can cost a financial insti- between $50 and $60 per targeted at customers of large financial tution between $50 and $60 per account institutions, although phishers prey on compromised, or $50,000 per attack.7 account compromised, or others as well.5 Recent trends reveal that Those figures do not even cover the cost $50,000 per attack. phishers also are targeting smaller finan- of time spent disabling the phishing sites, cial institutions, such as community resetting legitimate user passwords, and Software companies also are taking banks and credit unions. The smaller installing software patches. steps to prevent Internet piracy. In advising consumers, Microsoft recently announced that it is advocates should be careful creating an “antiphishing” feature for that their warnings do not Windows 7, the next cause anyone to overreact and version of its browser. Users will be inter- give up online transactions. rupted and warned if they attempt to Exaggerated perceptions of visit a known phishing site.10 In addi- threats can undermine cus- tion, antiphishing developers have new tomer convenience, as well as software that can collect and encrypt per- being damaging to financial sonal data and store it safely on the user’s organizations. A Forrester hard drive. When the user enters person- Research study reveals, for al information in response to an example, that 26 percent of unknown e-mailer or a mysterious consumers have elected not pop-up box, the software will display to apply for a financial an alert.11 product online; 20 percent Netcraft, www.netcraft.com, offers decided not to open e-mail an antiphishing toolbar that also works from their financial providers; for pharming. The software alerts users to and 19 percent would not the geographical location of the site they enroll in or are accessing. Then if users attempt bill payment.8 to visit their U.S. bank’s web site and the software reveals that the site is The Solution actually originating from Ukraine, for Institutions are taking example, they know they should contact steps to protect customers the institution through recognized from phishers and pharmers. channels before divulging personal finan- In June 2005, Bank of cial information.12 America, for example, initiat- The U.S. Congress also is taking ed SiteKey, a web site authen- steps to protect Internet users. In his tication service. The software February 2005 introduction to the Anti- Photodisc/Getty Images makes it easier for users to Phishing Act of 2005, Vermont Senator

30 Fall 2005 said that the act would add two new laws to the U.S. Code. The first law would “prohibit the creation or pro- curement of a web site that represents itself to be that of a legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft.”13 The second would pro- hibit “the creation or procurement of an e-mail that represents itself to be that of a legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft.” The fraudulent e-mail itself would be sufficient for prosecution, whereas under current law, phishers can be prose- cuted only if the crime has taken place and been reported. Unfortunately, by that point, the thieves have already packed up their fake sites and moved on. The proposed legislation would help law enforcement entities to intervene sooner. In the meantime, awareness is key.

Consumer advocates might recommend Photodisc/Getty Images the preventive measures listed on the Korea, 10 percent; Japan, 3.1 percent; Germany, APWG web site: notify the Complaint 2.7 percent; , 2.7 percent; Romania, 2.2 per- • Be suspicious of any e-mail with Center of the FBI by filing a complaint at cent; Canada, 2.1 percent; France, 2.7 percent; and urgent requests for personal finan- www.ifccfbi.gov. Alternatively, they may Australia, 2.1 percent. cial information; forward the entire suspect e-mail to one 5 See NW3C: National White Collar Crime Center, http://www.nw3c.org/. • Do not use the links in an e-mail or more of these: 6 Gregg Keizer, “Phishing costs nearly $1 billion,” to get to any web page; • [email protected] TechWeb News, June 24, 2005. • Avoid completing forms in e-mail • the at 7 Frederick W. Stakelbeck, Jr., “Phishing: A grow- messages that ask for personal [email protected] ing threat to financial institutions and e-com- merce,” SRC Insights, fall 2004. financial information; • the company that has been mis 8 Paul Gibler, “Phishing, pharming, spimming, • Be sure to use a secure web site represented (for example, an e- and spoofing,” Credit Union Executive Newsletter, when submitting or mail purporting to be from eBay, April 18, 2005, p. 7. other sensitive information via the should be forwarded to 9 Cameron Sturdevant, “Spam tools take on anti- fraud chores,” eWeek, June 20, 2005, web browser; [email protected]) http://www.eweek.com. • Consider installing a web browser 10 Ina Fried, “Microsoft MSN offers scam-site tool bar for protection from Dawn Hicks is a member of the Federal detector,” ZDNet News, August 25, 2005, known phishing fraud web sites Reserve Bank of Boston’s Consumer http://news.zdnet.com/2100-1009_22- 5843325.html. • Regularly log on to online Regulation Outreach Group. 11 Paul L. Kerstein, “How can we stop phishing accounts; and pharming scams?” CSO Update, July 19, 2005, • Regularly check bank, credit, and Endnotes http://www.csoonline.com/talkback/071905.html. 1 debit card statements to ensure all US Netizen, “A New Security Threat – 12 Amanda C. Kooser, “Pharm’s way: Learn how Pharming” (2005), http://www.usnetizen.com/arti- to protect yourself from the latest Internet attack,” transactions are legitimate; cles/pharming.html. Entrepreneur, July 2005, p. 22. • Make sure the browser is up-to- 2 Jane Larson, “ ‘Pharmers’ hit online bank users 13 Patrick Leahy, “Statement of Senator date and security patches are with fraud scam,” The Arizona Republic, April 26, Patrick Leahy: Introduction of the anti-phishing act applied.14 2005. of 2005,” February 28, 2005. 3 John Leyden, “Phishers tapping to auto- 14 For more information, visit mate attacks,” The Register, November 2004, www.antiphishing.org/consumer_recs.html. Advocates also might tell consumers http://www.theregister.co.uk/2004/11/26/anti- that if they believe they are being target- phishing_report. 4 ed by phishing or pharming, they should Other top countries are China, 13 percent;

Communities&Banking 31