Preventing Business Identity Theft

The message looks official, absolutely genuine. It's purportedly from a familiar company — it could even be your company — warning the reader that his or her account has been suspended for security purposes and asking them to visit a "secure" Web site to provide credit card and other personal and financial information.

But the message isn't legitimate. Its originating address — as well as the Web site's address — has been "spoofed," carefully disguised to hide its real identity. Both message and Web site are the handiwork of an identity thief on a "phishing" expedition.

Phishing — the practice of using bogus E-mails to separate people from their money — isn't a new practice. But activity is picking up as phishers hone their talents, produce increasingly realistic E-mails and Web sites, and victimize a growing number of consumers. "They've just really taken off, and the bad guys have gotten more sophisticated," says Hani Durzy, a spokesman for eBay.

The Web auction company, along with its PayPal electronic payments unit, is frequently "impersonated" by phishers. Indeed, before identity thieves can target consumers, first they must impersonate a trusted business — perhaps your business. Besides eBay, hundreds of companies, including such icons as American Express, Citibank, Visa, and Microsoft, have had to deal with business identity theft. "Any company operating in high-transaction volume, business-to-consumer environments is exposed," says David J. Santoro Jr., senior manager of finance and performance management for consultancy Accenture. "It's a major threat."

Phishing Lures
MessageLabs, an E-mail security firm that monitors corporate Internet traffic, reports that phishing E-mails rose from 279 in September 2003 to 227,050 in January 2004. The scams are proliferating because they can be very profitable for their perpetrators. Some analyst estimates place the success rate of phishing E-mails at about 1 in every 20 recipients.

One reason for the relatively high success rate is that phishers are becoming more skilled at concocting realistic-looking E-mails and Web sites. "A year ago, it was relatively easy to spot it as a spoof E-mail, because of bad sentence structure, bad grammar, misspellings, and things like that," says Durzy. Today, phisher's E-mails and Web sites look real enough to fool all but the trained viewer's eye.

The improved quality of phishers' lures is a sign that, contrary to widespread conception, most business identity thieves aren't unemployed young men sitting in their parents' basements. "The people usually behind the attacks are career criminals in organized rings that deploy numerous schemes in obtaining identities from online and offline sources," says Santoro.

Phishers use a variety of techniques to target unsuspecting consumers. Unsophisticated operatives adopt a scattershot approach, sending phishing lures to any E-mail address they can get their hands on, usually acquiring the data from legitimate sources such as direct marketing firms. More cunning phishers use E-mail lists of their target business' customers — often obtained illegally from current or former company employees.

As phishing attacks increase, affected companies are spending a growing amount of time and money dealing with the consequences. Besides the burden of coping with legions of angry victims, companies also suffer less-quantifiable costs in terms of damage to their reputation and credibility. For affected firms, the cost of dealing with attacks can quickly add up. eBay, for example, has more than 800 people in various departments — ranging from fraud investigation to customer service — dealing with business identity theft matters on a full-time or part-time basis.

Although eBay and most other high-profile phishing targets take a very proactive approach to the problem, the immediate reaction of many first-time victims of business identity theft is to make believe the incident never happened or to keep it a secret. Such approaches are doomed to failure, however, since innocent consumers are left in the dark and the problem is just likely to recur and grow. "Businesses have to be open and forthright about these incidents," says Frank Abagnale, the former identity thief and current security consultant whose fictionalized exploits were the subject of the recent Steven Spielberg movie Catch Me If You Can. "I encourage companies to be honest about the problem and immediately notify their customers," he says.

When Abagnale client Discover Business Financial Services was alerted to a phishing attack on its Discover Card customers last year, the company launched an immediate information campaign. "Discover told its customers:, 'If you receive an E-mail like this, please notify us immediately so that we can check your account, put a flag on it or do whatever it is that we need to do,' " says Abagnale. "Discover did the right thing; they confronted the problem head-on."

Hooking the Phishers Themselves
Since phishing expeditions can recur over weeks, months or even years, most companies that suffer an attack want to catch the responsible individuals as soon as possible. But apprehending a phisher is not unlike trying to land a wily trout — both creatures tend to be slippery and are adept at hiding in shadowy places.

• 1
• 2
• next »