The e-mail seems legitimate. The logo and the return address match your bank’s, and the official-looking letter below warns that fraudulent activity has been detected in some of the bank’s accounts. It asks you to click on a link below, check your account balances, and report any signs of fraud.
Should you follow the instructions, however, you may unwittingly become the victim of fraud. The e-mail is actually a counterfeit “spoof’ and the link leads to a Web site that looks like your bank’s, right down to the URL address that appears in the window. But it’s actually the creation of tech savvy cyber-criminals who are forging legitimate logos, Web sites, and links–even URL addresses (hiding the actual Web address and substituting a fake URL that matches a legitimate address)–to try and get recipients to give up personal and financial information. The first of these so-called “phishing” attacks were publicized last spring when an Australian bank was targeted. Other banks, insurance companies, e-commerce sites and online retailers around the world–from eBay to PayPal to Visa International–have since been hit. But security officials say criminals have stepped up their efforts in recent weeks, with increasingly sophisticated and pervasive attacks.
Last month, mi2g, a British-based security firm that maintains an extensive database on electronic crime, recorded the highest number of phishing attacks yet. GIANT, an anti-spam software company, has seen more than double the number of phishing e-mails so far this month than in all of 2003. Mi2g founder D.K. Matai notes that increasingly those attacks are being aimed at U.S. targets. “And that trend is set to get worse,” he adds. So far this month, Citibank has already identified five fraudulent e-mails sent out to customers (see citibank.com for more info).
“It’s not an annoyance, it’s a threat [to businesses]. It is real loss,” says David Jevans, chairman of the U.S.-based Anti-Phishing Working Group (APWG), a consortium of more than 60 banks, retailers, and security firms that have joined forces since last fall to tackle the issue.
Traditional forms of spam, which are aimed primarily at getting recipients to buy products and services they didn’t know they wanted, can be a nuisance; they clog up e-mail boxes and slow down service. But “phishing” attacks–so named because the senders are “fishing” for recipients’ personal information (the substitution of “ph” for “f” is said to be a nod to an early form of hacking known as “phreaking,” according to the APWG)–are disguised as e-mails from familiar firms, asking recipients to update existing account information or provide password verification. “People think they’re doing the responsible thing [by responding],” says Paul Judge, CTO of CipherTrust, an e-mail security company. Instead, they’re handing over their most sensitive information to criminals who often use the data to steal money from victims’ bank accounts or, worse, to steal their identities–ordering new credit cards, shopping online, and wreaking havoc with victims’ credit ratings.
The first and only U.S. federal case of phishing to be settled so far was reported last July, and involved a teenager who sent out e-mails posing as AOL, and asking for customers to update their billing information on a page he’d created to look like the Internet service provider’s billing center. Then he used the information entered by those who responded to charge online purchases and open accounts with PayPal. Perhaps in part because of his age, the defendant in that case got off with a relatively light sentence he was barred from sending spam in the future and was ordered to give up $3,500 in “ill-gotten gains.” His case was then referred to a district court in Los Angeles county, where he lived.
At the time of the settlement, Timothy J. Muris, chairman of the Federal Trade Commission, which filed the charges, noted that it was the agency’s first law-enforcement action targeting phishing. But he warned: “It won’t be the last.” Today, the FTC is working with the FBI and the Justice Department on a number of other phishing cases, says Eric A. Wenger, an attorney in the FTC’s bureau of consumer protection. None have been settled yet and the agency won’t comment on any investigation in process.
Security experts say they have noticed a disturbing trend. Increasingly, attacks have been linked not to teenage pranksters, but to criminal syndicates in areas like eastern Europe and Asia. “Phishing is motivated purely by financial fraud and gain. And organized crime is now just using the Internet as one pillar alongside gambling and human trafficking,” says mi2g’s Matai.
So far, it’s been hard to track the financial losses from phishing attacks. The FTC does keep track of identity theft reports, which have been steadily increasing and include victims of e-mail fraud scams like phishing, says Wenger. In 2003, the agency received nearly 215,000 reports of identity theft–an increase of 33 percent from the year before. But Wenger says it’s hard to quantify how many reported cases of identity theft are the result of phishing attacks since victims often simply report that someone’s been using their credit card, but don’t realize the criminal got that information when they entered it unknowingly on a fraudulent site. “Once you’ve responded [to the e-mail], it’s gone and you may not realize that you’ve been a victim until 30 days later, when you get your next bank statement,” says Carl Banzhof, CTO of Citadel Security Software, which develops and markets computer security and privacy software. “This is why we need to educate people now.”
Businesses have begun that process. EBay and Citibank, for example, have posted tips and examples of fraudulent e-mails on their Web sites to help customers identify and delete them. PayPal’s security center also offers an extra level of security through a verification system that awards special status to customers who have provided proof of a confirmed bank account or credit card.
Banks, credit card companies and e-commerce sites who’ve been struck have so far have dismissed the costs of compensating customers who’ve fallen victim to phishing scams, and issuing new cards and accounts, as negligible. But mi2g estimates the overall costs to companies dealing with the attacks worldwide in 2003 exceeded $5 billion in customer and productivity losses, business interruptions, and brand repair efforts. If the attacks continue at this pace, it could be even more costly this year. “When attacks happen, we are in a reactive mode, not a proactive mode. Now businesses are waking up and saying what can I do to protect myself?” says Steve Solomon, CEO of Citadel Security Software.
Jevans, chairman of the Anti-Phishing Working Group, says the first step will probably be the use of digital signatures on e-mails, which are harder to fake. Anti-virus and anti-spam companies are also stepping up efforts for consumers, adding additional filters to their programs to try and target these e-mails (Spam Inspector 4.0 by the anti-spam software company GIANT, for example, claims to have “a unique ‘Phishing Hole Filter’” that stops potentially fraudulent e-mails from making it to your inbox).
One reason why phishing attacks have been successful now is that there’s no way for a recipient of the fraudulent e-mails to verify whether the e-mail came from their bank or not, beyond checking the return address (which can be forged), without picking up the phone. If a customer has no reason to think the e-mail is fraudulent, they aren’t likely to spend the time tracking down someone at the bank or e-commerce retailer to check its authenticity.
There is technology being developed that would do that for you. Companies that do business online are now able to publish in their domain name servers, so that the e-mails they send out could be identified as coming from their server. But doing that requires additional software on the recipient’s end, which is not expected to be widely available for another six months to a year. Even then, the software would work on your server, not your personal PC, so Internet Service Providers (ISPs) like Yahoo! and AOL and MSN would need to cooperate on a single common standard in order to make the authentication system work for all home users. Once they adopt such measures, e-mails from questionable sources might never even make it to your e-mail box (or will be flagged, if they do). The Anti-Phishing Working Group says it has included ISPs in its efforts to develop a solution.
Still, security experts say we may be months–or years–away from implementing more extensive e-mail authentication measures. Nor have there yet been full-scale ad campaigns to educate consumers; instead, companies who’ve been hit have preferred to post warnings on their own Web sites. “Until these companies begin to lose hundreds of millions of dollars apiece in terms of financial fraud and the costs associated with building that confidence in the brand again, the cost-benefit analysis will not tilt in favor of installing high layers of authentication,” says Matai. But once the economic losses start adding up or customers start balking at buying or banking online, that may change.
“The bigger the threat, the more likely the adaptation of new measures to deal with it,” says Jesse Dougherty, an anti-spam expert at the security firm, Sophos. “And this presents an enormous threat, if it’s not handled properly.”
In the long run–three years down the line or so–that could mean even tougher biometric security measures, like fingerprint or iris scans combined with a password or Smartcard to access accounts and conduct online transactions. But those changes require a lot of money and time to implement. In the meantime, it’s up to the recipient to try and recognize what’s real and what’s not. And that’s becoming a bigger challenge every day.
