CIO

Fighting Phish, Fakes and Frauds

The Internet makes identity theft almost laughably easy. Phishing - or the practice of sending e-mails and using fake Web sites that spoof a legitimate business in order to dupe unsuspecting customers into sharing personal and financial data - requires minimal effort and capital.

Companies on the front lines of the phishing wars share tactics for making their sites spoof-proof and protecting online transactions.

Reader ROI

  • Why phishing is a major threat to future e-commerce
  • How you can protect your employees and customers from phish attacks
  • What you can do to make your Web site a difficult target

On June 25, an e-mail that appeared to be from the PayPal Support Centre asked members of the online payment service to update their account information to protect themselves from fraud. Failure to update records by July 15, the message read, would result in account suspension. Recipients who clicked on the embedded link encountered a familiar PayPal log-in screen, then an announcement of a new immediate payment option as well as a ho-hum notification of changes to PayPal's user agreement and privacy policy.

All standard PayPal fare. So, few customers would have thought twice about filling in the online form that followed - even though it asked them to cough up their e-mail address and PayPal password, credit card number and expiration date, billing address and phone number, cheque account number, ATM code, Social Security number, birth date and mother's maiden name. Upon hitting the "Continue" button, the PayPal member would have been greeted with an "Updating Your Account" screen for a few seconds before landing on a replica of a general PayPal page.

It was all so convincing that respondents might never have suspected that the online form they just completed was on its way to a crook in Seoul. Those who did reply gave away access to their PayPal account, credit card and cheque accounts, and quite possibly enough information for the fraudster to take out a second mortgage on their homes.

The Internet makes identity theft almost laughably easy. Phishing - or the practice of sending e-mails and using fake Web sites that spoof a legitimate business in order to dupe unsuspecting customers into sharing personal and financial data - requires minimal effort and capital. "A lot of drug lords are getting into phishing," says Avivah Litan, a vice president and research director at Gartner. "They set up phishing rings because it's easier and more lucrative than selling cocaine."

Not surprisingly, the incidence of phishing is growing at an alarming rate. In June, the Anti-Phishing Working Group (APWG), an industry group, counted 1422 phishing attacks - more than 12 times the number of attacks reported in December. So far, phishers have mostly targeted customers of large banks, credit card companies, online payment services, ISPs and online retailers. In June, Citibank alone was the target of 492 attacks, and eBay experienced 285 attacks. PayPal was targeted 42 times in February, 63 in March, 135 in April, 149 in May and 163 in June. But any company with a recognizable brand name could very well become the next target. Government agencies, including the IRS and the FBI in the US, have been spoofed by phishers eager to capitalize on governmental authority to make an easy profit. In fact, even internal corporate data is becoming a target for phishers, as executives at Wyndham International discovered when a message purporting to be from the hotel chain's IT department asked employees to verify their corporate passwords.

"Spoofing is a threat to any company with a sizeable customer base," says Ken Miller, vice president of risk management at PayPal. "Every CIO needs to be aware of this issue."

Indeed, phishing has scared some consumers so badly that they say they're not going to bank online any more, says Dave Jevans, APWG chairman. Although technological solutions are on the horizon, they won't be in place for at least a year, and quite likely not for two or three. In the meantime, there are measures CIOs can put in place to staunch the billions of dollars in potential losses to their customers and companies. Here's a look at the current state of phishing, why it's such a serious threat to e-commerce and what companies on the front lines are doing to minimize the risk to their customers and brands.

Page Break

Lost Dollars, Lost Trust

While early phishing attempts were crude, with telltale misspellings and poor grammar, phishing e-mails have become remarkably sophisticated in recent months, sending recipients to fake sites that are replicas of the sites they're spoofing. Fake status bars make it look like a Web site is secure, or e-mails and Web pages contain viruses with keystroke loggers that capture customers' online banking passwords. Plausible-looking "cousin" domains like aolaccountupdate.com or mycitibank.net are registered by would-be thieves, not AOL or Citibank. E-mail links send customers to fake log-in pages that use a phished company's logo and images. Phishers even direct recipients to a company's real Web site, but then collect their personal data through a faux pop-up window that ships it to a server overseas.

"I've been to meetings of industry experts where it's taken them minutes of studying an e-mail from a phisher site to determine that it's not the actual site," says John Curran, supervisory special agent with the FBI's Internet Crime Complaint Centre. "You can't expect the average person surfing the Internet or doing online banking to be suspicious of an e-mail that convincing.''

The cost of an attack can add up quickly. Companies that are targets must deal with huge spikes in call centre volumes as customers call either to voice their suspicions or question why the company needs their account data. APWG's Jevans knows of one financial services company that received 70,000 calls an hour for 12 hours when it was hit with its first phishing attack. In addition, companies must alert consumers, work with ISPs to shut down the phisher site quickly and follow up with law enforcement to try to nab the perpetrators. For customers who fall for a phisher's lure, companies must also reset their passwords and help them deal with the repercussions of any phishing-related fraud.

Potential losses are particularly high for financial institutions since they must also absorb the cost of any resulting fraud. Litan's research revealed that of Internet users who gave personal information to phishing sites, more than half became victims of identity theft fraud. She estimates that phishing-related fraud cost banks and card issuers $US1.2 billion last year. Accurate metrics are tough to pin down because companies don't want their competitors - or customers - to know the extent of the problem. (Citibank, for instance, is so sensitive about the problem that it won't even share its phish-fighting remedies.)

The damage goes beyond dollar losses. Some customers may feel so spooked that they no longer want to do business with the company. "It's a question of trust, a question of brand," says Tom Salmond, who manages the E-Banking Fraud Liaison Group at the Association for Payment Clearing Services (APACS), a trade association of UK financial institutions.

Litan warns that phishing and similar attacks could slow the growth of e-commerce in the United States alone by 1 percent to 2 percent in 2005. "The impact is that no one can trust Internet communication any more," she says. "The whole promise of e-commerce - to lower costs, increase revenue and launch [tailored] marketing campaigns more quickly - all that goes out the window if consumers don't trust e-mail communications."

You Can't Wait for Sender Authentication

One reason phishing e-mails are so convincing is that more than 90 percent of them forge the "from" line so that the message looks like it's from the spoofed company. If e-mail gateways could verify that messages purporting to be from, say, Citibank did in fact originate from a legitimate Citibank server, messages from spoofed addresses could be automatically tagged as fraudulent spam and thus weeded out. (Before delivering a message, an ISP would compare the IP address of the server sending the message to a list of valid addresses for the sending domain, much the same way an ISP looks up the IP address of a domain to send a message. Litan calls such enabling technology the equivalent of caller ID for the Internet.)

Although the concept is straightforward, implementation has been slowed because the major Internet players have different ideas about how to tackle the problem. Microsoft developed a real-time address verification standard known as Caller ID, while EarthLink and AOL have been pushing the Sender Policy Framework (SPF) approach. Yahoo came up with a third standard, called DomainKeys. In May, the Caller ID and SPF standards merged into Sender ID. A month later, AOL, EarthLink, Microsoft and Yahoo agreed to test each other's standards. Although antiphishing advocates are cheered by this level of cooperation, it will take at least a year - and possibly as long as five to seven years - before all the details are ironed out and the standard is implemented. That implementation requires upgrades to Internet domain servers, e-mail and browser software.

"The only downside is that every mail server in the world has to get upgraded," says Jevans. "How long is that going to take?"

Page Break

Fortunately, there are steps you can take to protect your company in the meantime.

BEST PRACTICES:

1. Publish your mail server addresses. Some vendors have already begun incorporating Sender ID into their products, so companies should make sure they record the IP addresses of their outbound mail servers with their ISP or domain name registrar. Companies already register their domain names and corresponding IP addresses so they can receive mail. Rounding up the IP addresses of all servers authorized to send mail on behalf of the company is a relatively simple step. Taking it will ensure that anyone using sender authentication can reject e-mails that attempt to spoof your company.

2. Educate customers. People who know about phishing stand a better chance of resisting a phisher's hook. "While you're waiting for the technology, the best defence is that a consumer has heard of phishing," says Patricia Poss, an attorney with the Bureau of Consumer Protection at the US Federal Trade Commission. "They're going to think twice" about replying to any e-mail or pop-up that requests personal information.

Warn your customers about the dangers of phishing; let them know you'll never ask for their account number, password, Tax ID number or any other personal information via e-mail. Encourage them to avoid clicking on e-mail links to reach you; they should instead type your company's URL directly into a new browser window.

PayPal interrupts its own log-in screens periodically with a phishing warning. "Users have to click through [the warning] to get to the main screen," Miller says. A Security Centre on PayPal's site includes an e-commerce safety guide, fraud protection tips for buyers and sellers, a link to let users report spoof e-mails, and a prominent reminder to log into PayPal by opening a new browser window and typing in the URL.

A target of phishers since early 2003, EarthLink also focuses its efforts on increasing customer awareness, says Linda Beck, executive vice president of operations for the ISP. In addition to creating customer education pieces, EarthLink developed its own ScamBlocker toolbar, which it offers free to anyone on its Web site. ScamBlocker relies on a blacklist of known phisher sites to warn users when they attempt to access a site on that list. (In fact, EarthLink shares blacklist data with eBay, which has its own antifraud toolbar.) EarthLink's education efforts and its investment in developing ScamBlocker appear to be paying off. Although it once got 40,000 calls per attack, EarthLink's call centre now fields from 10,000 to 12,000 phisher-related calls per month. As a result, the cost per attack has fallen from a peak of $US115,000 to a little more than $US40,000.

Companies can also point customers to a free browser extension known as SpoofStick, which can be downloaded at www.corestreet.com/spoofstick. SpoofStick helps users detect a spoof; visiting a spoofed eBay site, for example, brings up a toolbar message along the lines of "You're on 10.19.32.4" instead of "You're on eBay.com".

3. Establish online communication protocols. Now that phishing has become a fact of life, companies need to be careful about how they use e-mail to communicate with customers. In May, Wachovia's phones started ringing off the hook after the bank sent customers an e-mail instructing them to update their online banking user names and passwords by clicking on a link. Although the e-mail was legitimate (the bank had to migrate customers to a new system following a merger), a quarter of the recipients questioned it. Frankly, Wachovia should have known better.

As Wachovia discovered, companies need to think through clearly their customer communication protocols. For example: All e-mails and Web pages should have a consistent look and feel, all e-mails should greet customers by first and last name, and a company shouldn't ask for personal or account data viae-mail. If any time-sensitive personal information is sent through e-mail, it has to be encrypted. Although e-mail marketers may wring their hands at the prospect of not sending customers links that would take them directly to targeted offers, instructing customers to bookmark key pages or linking to special offers from the home page would be a lot more secure.

It also makes sense to revisit what customers are allowed to do on your Web site. They should not be able to open a new account, sign up for a credit card or change their address online with just a password. Although stronger authentication is ideal (see number 6), at minimum companies should acknowledge every online transaction through e-mail and one other method of the customer's choosing (such as calling the phone number on record) so that customers are aware of all online activity on their accounts. And to prevent phishers from copying your online data capture forms, don't put them on your Web site for all to see. Instead, require secured log-in to access e-commerce forms.

Page Break

4. Create a response plan now. Before you become a target, establish a cross-functional antiphishing team and develop a response plan so that you're ready to deal with any attacks. Ideally, the team should include representatives from IT, communications, PR, marketing, Web, customer service and legal services. "If you wait until an attack hits you, it's definitely too late," advises APACS's Salmond.

First, hammer out how you'll inform customers of an attack. Post news of new phishing e-mails targeting your company on your Web site, reiterating that they are not from you and that you didn't - and wouldn't - ask for such information. "If your company is hit, the information should already be on your Web site, instead of responding two days later," says the FTC's Poss. If it's your first attack, you might also want to alert customers via e-mail.

Employees at all customer contact points need to know what to say and do if a customer reports a new phishing attack. Salmond recommends developing appropriate scripts for each customer contact point. If you do detect fraud, you need to have a codified process to follow to alert affected customers and give them new account numbers and passwords.

A good response plan should also outline whom to contact at the various ISPs to get a phisher site shut down as quickly as possible. Identifying law enforcement contacts ahead of time will give you a better chance of bringing the perpetrator to justice.

Now that EarthLink has formalized procedures with other ISPs, it can usually shut down a US-based phisher site within two days, down from the seven days it took in April 2003. Overseas sites are a different matter; those tend to take 20 to 22 days to shutter. The FBI's Curran recommends using software tools to capture links on the phisher Web site before it's shut down; this will let law enforcement recreate the phisher site forensically to determine how the victims' info was captured and where it was sent.

5. Proactively monitor for phishers and fraud. Phishers usually set up the fake sites that will collect responses about eight days before sending out phishing e-mails. So one way to stop them from swindling your customers is to find and shut down these "landing" sites before they launch their e-mail campaigns. You can outsource the search for phishing sites to a fraud alert service. Such services use technologies that crawl the Web looking for unauthorized uses of your logo or newly registered domains that contain your company's name, either of which might be an indication of an impending phishing attack. Some fraud alert services also take aggressive actions to counter attacks, such as launching something akin to a denial-of-service attack that keeps phishers' servers busy so that they can't accept customer information.

MasterCard recently announced a partnership with NameProtect, a fraud detection and alert service. If NameProtect detects suspicious activity, MasterCard alerts law enforcement and the banks that issue its cards. The service also keeps tabs on black-market Web sites where fraudsters often try to sell stolen account information (known as phish). If anyone tries to sell MasterCard accounts, NameProtect notifies MasterCard, which in turn tells the issuing banks so that they can protect themselves and their cardholders from having card accounts compromised. Although MasterCard has such a well-developed list of contacts in the ISP community that it can usually shut down a phisher site within two days, sometimes it allows phisher sites to stay up long enough to capture the evidence needed to prosecute the phishers. "We get all the information being lured into the site so we can provide it to the financial institutions so they can block the [affected] accounts," says Sergio Pinon, senior vice president of security and risk services at MasterCard.

Existing fraud detection systems can be fine-tuned to pick up on a phishing fraud, by making them more sensitive to address changes, new account applications and out-of-character transactions. PayPal's Miller says his company's fraud and spoof detection systems run around the clock. If a PayPal member who typically makes an eBay purchase of around $40 every few months suddenly appears to be making a $4000 purchase, PayPal can pick up on that unusual activity within an hour. "We might call and say: 'Did you make this purchase? Are you really buying a plasma TV?' If not, it's very easy for us to contact the merchant and say: 'Don't ship the item, it's not authorized by the buyer'," says Miller. PayPal would then set in motion a process that includes giving the PayPal member a new account number and having her choose a new password. It would also kick off an investigation to collect information on the incident to pass along to law enforcement agents.

Such vigilance is slowly starting to pay off in court. In February, Alec Scott Papierniak, a Minnesota scammer who phished PayPal members, pleaded guilty to wire fraud in US federal court. In May, Zachary Keith Hill of Houston was sentenced to almost four years in prison for defrauding consumers of personal financial information in phishing schemes that spoofed AOL and PayPal.

Page Break

6. Make yourself a difficult target. Perhaps the most important thing you should do is examine whether your authentication process is strong enough. Miller, who declined to divulge any details about the impact of the June 25 phishing attack, says PayPal is looking at a host of stronger authentication options, giving users tokens from RSA Security, which would create a new password every 60 seconds. PayPal is also considering biometric techniques such as collecting a voiceprint from customers. Several European banks are already experimenting with stronger authentication methods for online banking and payment authorization. Scandinavia's Nordea gives customers a scratch-off card (similar to a lottery ticket) that contains one-time-use passwords that customers use along with their chosen password. Barclays is piloting handheld smart-card readers for its MasterCard customers. When a cardholder wants to make a purchase online, he puts his card (which contains a smart chip) into the portable card reader and punches his PIN in. The device then displays a secure, one-time code that the customer enters into a pop-up box on the retailer's Web site. Salmond of APACS says that the devices cost less than $10.

The key, of course, is making sure customers will use these tools. "You can give customers a whole range of different tools to identify themselves," says Salmond, "but if they then hand over their password or credit card number to a third party," such techniques offer no protection whatsoever. And if phishers can access your customers' accounts - or, worse, steal their identities - it's your brand, and your bottom line, that will suffer.

SIDEBAR: Test Your Phishing Acumen

E-Mail security vendor MailFrontier offers a challenging quiz to test your phishing IQ. View 10 real-life examples of suspect e-mail messages, then decide - legitimate or fraud? Go to: survey.mailfrontier.com/survey/quiztest.html and see how you do.

SIDEBAR: More Resources in the Phishing Fight

The Anti-Phishing Working Group (APWG) is an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and e-mail spoofing. Check out APWG's incredibly useful site, which publishes monthly phishing attack trend reports and offers annotated examples of current phishing scams as well as an archive of past phishing e-mails.

Trusted Electronic Communications Forum (TECF) is a new organization formed by companies in the retail, financial services, telecommunications and high-tech industries to combat phishing, spoofing and identity fraud. One of the group's first initiatives is hammering out what it calls a Trusted Dialog standard. The idea is to offer free plug-ins for e-mail clients which will review all messages and flag as potentially fraudulent any that purport to be from an organization using the TECF spec but are not properly signed by that organization. TECF's goal is to have plug-ins available this northern autumn.

TECF's Board of Governance includes representatives from ABN AMRO, AT&T Wireless, Best Buy, Charles Schwab, CipherTrust, DIRECTV, E*Trade, Fidelity Investments, GE Access, HSBC, IBM, National City Bank, PostX Corporation, Royal Bank of Scotland and Siebel Systems.

SIDEBAR: Ten Tips for a Spoof-Proof Life

Some helpful hints for your employees and customers

  • Treat with caution any unsolicited e-mail that purports to come from a trusted company.
  • If you're suspicious about an e-mail, don't click on any links. Don't even cut and paste a link into your browser. Open a new browser window and type the URL for the company yourself. Hyperlinks can show you one thing, but send you somewhere else.
  • Be suspicious of e-mails that don't greet you by name. A message that says "Dear eBay customer" probably is not from eBay.
  • Ask yourself: Why is the company writing to me about this? If you have any doubts, call the company or go to its Web site on your own.
  • Don't click on any attachments: They could contain viruses or spyware that records where you go online and captures any passwords or credit card numbers you type online.
  • Look for "https" in URLs displayed in your browser's address bar. The "S" stands for secure. If you don't see it, you're not in a secure Web session and shouldn't enter any personal or financial data.
  • Another clue: If you see an @ sign in the middle of the URL, good chance this is a phishing site. Legitimate companies use the domain name in their Web address (www.company.com), and don't have an @ sign in their URL address.
  • Maintain up-to-date firewalls and security patches.
  • If your information is compromised, get a fraud alert placed on your credit report.
  • Visit The Federal Trade Commission's ID Theft page (www.consumer theft) for more information on how to protect yourself from identity theft.