That’s what worries companies like eBay–and the dozens of others that have been targeted repeatedly by these attacks. In Olechowski’s case, he called the online auction house just to be sure, and discovered to his surprise that the e-mail he’d gotten had been legitimate. But few consumers will take the time to check an e-mail’s authenticity with a phone call. As the prevalence and sophistication of these phishing scams continue to grow, companies that do business online–and who doesn’t these days?–have more reason than ever to be concerned. Not only could the attacks disrupt business but they threaten to diminish consumers’ confidence in conducting transactions online at all.
“These attacks are undermining trust in the entire e-commerce system, the way we do business,” says David Jevans, chairman of the Anti-Phishing Working Group (APWG), an organization formed last fall to help eliminate phishing attacks. The group has since grown to more than 180 members, including law-enforcement agencies, technology vendors and major financial firms who’ve been popular targets in the attacks. “We take this spoof issue very, very seriously, and we think it is important for the industry as a whole to address,” PayPal official Amanda Pires told NEWSWEEK. “These attacks are targeting just about any legitimate site that has a big [customer] base.”
In the past year, there have been more than 250 reported phishing attacks on major banks and credit card companies, e-commerce sites and government agencies, according to the British security firm, mi2g, which maintains an extensive database on electronic crime. Most come in the form of e-mails purporting to be from a recipients’ bank or e-commerce site, asking them to click on a hyperlink to update passwords or personal information. The link appears to lead to the company’s Web site, but the site is actually fraudulent (or, in some cases, the site is real but a fraudulent pop-up appears). Once the recipient has entered his or her personal information, the cybercriminals behind the scam are able to steal money from their accounts or, worse, steal their identity and wreak havoc with their credit. That also makes it difficult for law-enforcement agencies to track the number of victims or costs resulting directly from phishing attacks. “If someone’s information has been stolen that way, how would they know?” says Betsy Broder, assistant director in the Bureau of Consumer Protection for the Federal Trade Commission. “If you’ve been tricked into giving up data and you thought it was legitimate, you may never connect the incidents.”
The FTC recorded about 215,000 complaints of identity theft in 2003–the highest total ever and a 33 percent increase from the previous year. Broder figures that in about half of those cases, the victims were unaware of how their information was stolen. But there’s a good chance they may have been victims of phishing attacks. The response rate to these e-mails is still small–estimates range from about half a percent to as high as 2 or 3 percent. But that can add up quickly if millions of phishing e-mails are being sent out. So far, law-enforcement officials have targeted criminals behind just two separate phishing scams. The first defendant was a teenager who sent out e-mails purporting to be from America Online. Late last month, the FTC announced charges had been filed against a second scammer, Zachary Hill, who is accused of hijacking logos from AOL and Paypal to con hundreds of consumers into providing credit card and bank account information. (He allegedly collected at least 470 credit card numbers and 152 bank account numbers over the past two years). Hill then allegedly used the credit card information to charge more than $47,000 worth of purchases before he was caught.
U.S. law-enforcement efforts have been hampered in part by the fact that many phishing attacks appear to originate from overseas servers, making it difficult to track down and prosecute the offenders. Security experts say global criminal syndicates are likely behind some of the more sophisticated and wide-reaching attacks. About 35 major banks around the world have already been spoofed in fraudulent e-mails, including some in Spain, Singapore, Australia, Canada, Hong Kong and even Switzerland, according to mi2g. But the top targets are in North America and England, where more than 100 separate phishing incidents have been reported in the past year at big-name banks like Fleet Bank, ABN AMRO, American Express, Bank of America, HSBC, Barclays Bank and even the Bank of England (the country’s central bank). “It is a concern, most definitely,” says Guy Gondor, vice president of the Information Technology Group at Coast Capital Savings, Canada’s second-largest credit union, which has sent out regular bulletins to its members on how to identify and avoid the fraudulent e-mails. “The reality is we have no way to really prevent them from happening. And it looks too legit to ignore.” Some U.S. companies have been targeted multiple times: eBay alone has had 94 attacks, AOL has had 57 and Citibank, 60.
Citibank spokesman Mark Rodgers says the bank has made many efforts “to make sure our customers are confident when they deal with us online.” So far, that’s meant adding a link in the corner of its Web site that pops open a box with information on e-mail fraud and examples of more than a dozen separate “spoof” e-mails that have been sent to its customers so far this year. But the scam spams continue to be sent out and, though Rodgers says that he is personally unaware of any customers who have lost money from their accounts in an attack, he concedes that some customers have called to report that they have responded to a phishing e-mail. The bank has changed customers’ pin numbers, and even closed and reopened accounts to make sure they’re not compromised.
Not surprisingly, Citibank, as well as other companies targeted, play down the direct costs of such attacks, claiming the cost of reimbursing affected customers and warning others is negligible. PayPal, similarly, says its loss rate due to fraud has hovered around a third of 1 percent over the past year–well below the industry average of 1 to 1.1 percent–despite the increase in phishing scams. But related and long-term costs may be much higher. Mi2g estimates that worldwide economic damage from phishing scams last year exceeded $13.5 billion in customer and productivity losses, business interruptions, and brand repair efforts. And the security firm says damage estimates for this year should be even higher. The firm’s Intelligence Unit says there were more phishing attacks reported in the first quarter of this year than in all of 2003. And mi2g estimates economic damages had already surpassed $24.8 billion by the end of the quarter. But the worst damage may come from customers who lose faith in doing banking online.
“There’s real concern about financial losses, but what these companies are really concerned about is the erosion of their brand name and trust, and that people won’t use the Internet as a channel for commerce or customer service–especially if you’re an e-commerce vendor, and all your business is done online,” says the APWG’s Jevans.
He says the APWG’s members have been working not only to educate customers, but to create companywide policies for handling reports of spoof e-mails and, finally, to implement the technology to stop–or at least decrease–future attacks.
“Our goal is to not only find the right fix, but to also allow our customers continued faith in our services,” says Milton Santiago, senior vice president of ABN AMRO Services Company. As many of the targeted companies are realizing, education efforts alone aren’t enough to keep customers from responding–especially when the phony e-mails and Web sites are so sophisticated that even technology experts say they have trouble telling the difference. “It’s an ongoing education campaign; but as long as people are willing to believe, it’s hard to educate them,” says Mike Nash, corporate vice president of Microsoft’s Security Business Unit.
The major Internet Service Providers have each unveiled new proposals in the past few months they hope will help cut down both spoof e-mails and spam. Microsoft’s plan, dubbed Caller ID for e-mail, would require senders to publish the IP (Internet Protocol) addresses of their outgoing mail servers, so that an e-mail’s origins can be verified before it is delivered. AOL began testing a similar system in January called Sender Policy Framework, or SPF. And Yahoo! has announced a program called DomainKeys, which uses encryption to digitally sign messages delivered to its users. Anti-virus and anti-spam companies are also stepping up efforts, adding additional filters to their software programs to specifically target these e-mails. (CipherTrust, for example, claims to be the first e-mail security company to incorporate e-mail authentication standards into its anti-spam product, IronMail). “All these initiatives need to build on each other to develop a more effectively protected form of communication,” says Chris Kraft, vice president of marketing at the security firm Sophos.
Security experts say it will likely be at least six to 12 months before such measures are widely in place. “There’s not going to be one silver bullet,” says Jevans. “In two years, if we have signed e-mail or authenticated e-mail, that’s great.” Until then, the best protection for consumers may well be Olechowski’s low-tech method: when in doubt, use the phone instead of the mouse.
