Just more than a year ago, phishing schemes caught most financial institutions by surprise, and quickly developed into wide-scale attacks. But the industry reacted swiftly and effectively to the increasing number of fraudulent e-mails being sent out in their names, according to two new research reports from The Tower Group.
Phishing happens when fraudsters try to trick people into giving them personal financial data, such as credit card numbers, bank account information, passwords or Social Security numbers. Perpetrators use e-mail and fraudulent Web sites to fool victims into thinking their bank or another legitimate business is asking them to update account information. Financial institutions are frequently the targets of such phishing scams.
Most of the larger banks now have a person or team dedicated to coordinating anti-phishing activities such as preventing, detecting, halting and recovering from phishing attacks using a variety of technology tools and best practices, according to the report. These banks also are continually evaluating and deploying new methods and coordinating their efforts with peer institutions, legal authorities and industry associations.
“Lest this picture seem too rosy, remember that phishing attacks are getting more sophisticated all the time…” the authors wrote. “Financial institutions must be proactive and vigorous in updating technologies and practices to keep abreast of constantly evolving techniques of data theft and fraud. The true costs of phishing and related cybercrimes are far greater than the reported fraud losses themselves.”
The typical phishing e-mail looks like it came from a legitimate company and Citibank and US Bank are often among the top companies targeted. An e-mail from Citibank, for example, would show an official-looking company address and company logo within the body. The e-mail generally directs recipients to a Web page that is a near-perfect replica of the legitimate Web site where viewers are asked to enter personal account information. Any information entered lands directly in the fraudster’s database and can be used to conduct fraudulent transactions on the real Web site.
Financial institutions that are the targets of phishing attacks bear the burden of the costs through direct costs such as customer servicing, antifraud programs and technology expenses to prevent fraud.
The Tower Group estimates that phishing’s direct costs to financial institutions will total more than $200 million this year. Of that, direct fraud losses will account for $137.1 million, far below widely cited levels and just a fraction of the total fraud levels encountered by financial institutions.
But far greater than the direct costs of phishing are the indirect costs posed to a financial institution’s brand, the potential loss of consumer confidence and the risk of losing business or customers, the authors contend.
The Tower Group believes the true number of phishing attacks will total close to 31,300 this year and rise to more than 86,000 in 2005 as the phenomenon spreads to smaller institutions, new merchant/service-provider categories and new global markets. About 80 percent of the current phishing attacks are directed at financial institutions’ brands, according to the report. That ratio is likely to hold for the near term into 2005.
Financial institutions bear the brunt of the consumer fraud losses because they generally refund lost funds to their customers even though the consumer has wrongly provided personal information to a third party (in the classic case of phishing).
No single solution will take care of the phishing problem and financial institutions must instead use a suite of measures. The Tower Group offers six recommendations:
- Customer/general education: Help to build consumer awareness through ad campaigns, Web site materials and customer service representative training.
- E-mail policy: Establish policies that prohibit the use of links in e-mails. Consider e-mail authentication tools that can be implemented with the customer base.
- Authentication strategy: Establish a broad authentication strategy and employ corresponding technologies to provide bilateral authentication to protect the organization and customers.
- Brand protection, enforcement and forensics: Implement technology, processes and staff focused on early detection and mitigation of potential phishing scams.
- Customer data security/privacy: Restrict the practice of providing consumer data for mail lists to third parties, secure corporate servers, encrypt all payment and customer data and implement strict data access controls.
- Online fraud security officer: Assign a security officer responsible for preventing, detecting and responding to online fraud, serving as liaison with law enforcement and participating in industry initiatives such as the Anti-Phishing Working Group.
Industry collaboration is crucial to combat phishing and financial institutions must cooperate with other industries to standardize security measures, according to the report.
“Tower Group believes that collaborative efforts within the financial services industry and with other industries to standardize solutions and processes will be the key to their success,” the authors wrote.
Send tips or a Letter to the Editor to samantha@sandbox.inman.com or call (510) 658-9252, ext. 140.