The message looks official, absolutely genuine. It’s purportedly from a familiar company — it could even be your company — warning the reader that his or her account has been suspended for security purposes and asking them to visit a “secure” Web site to provide credit card and other personal and financial information.
But the message isn’t legitimate. Its originating address — as well as the Web site’s address — has been “spoofed,” carefully disguised to hide its real identity. Both message and Web site are the handiwork of an identity thief on a “phishing” expedition.
Phishing — the practice of using bogus E-mails to separate people from their money — isn’t a new practice. But activity is picking up as phishers hone their talents, produce increasingly realistic E-mails and Web sites, and victimize a growing number of consumers. “They’ve just really taken off, and the bad guys have gotten more sophisticated,” says Hani Durzy, a spokesman for eBay.
The Web auction company, along with its PayPal electronic payments unit, is frequently “impersonated” by phishers. Indeed, before identity thieves can target consumers, first they must impersonate a trusted business — perhaps your business. Besides eBay, hundreds of companies, including such icons as American Express, Citibank, Visa, and Microsoft, have had to deal with business identity theft. “Any company operating in high-transaction volume, business-to-consumer environments is exposed,” says David J. Santoro Jr., senior manager of finance and performance management for consultancy Accenture. “It’s a major threat.”
Phishing Lures
MessageLabs, an E-mail security firm that monitors corporate Internet traffic, reports that phishing E-mails rose from 279 in September 2003 to 227,050 in January 2004. The scams are proliferating because they can be very profitable for their perpetrators. Some analyst estimates place the success rate of phishing E-mails at about 1 in every 20 recipients.
One reason for the relatively high success rate is that phishers are becoming more skilled at concocting realistic-looking E-mails and Web sites. “A year ago, it was relatively easy to spot it as a spoof E-mail, because of bad sentence structure, bad grammar, misspellings, and things like that,” says Durzy. Today, phisher’s E-mails and Web sites look real enough to fool all but the trained viewer’s eye.
The improved quality of phishers’ lures is a sign that, contrary to widespread conception, most business identity thieves aren’t unemployed young men sitting in their parents’ basements. “The people usually behind the attacks are career criminals in organized rings that deploy numerous schemes in obtaining identities from online and offline sources,” says Santoro.
Phishers use a variety of techniques to target unsuspecting consumers. Unsophisticated operatives adopt a scattershot approach, sending phishing lures to any E-mail address they can get their hands on, usually acquiring the data from legitimate sources such as direct marketing firms. More cunning phishers use E-mail lists of their target business’ customers — often obtained illegally from current or former company employees.
As phishing attacks increase, affected companies are spending a growing amount of time and money dealing with the consequences. Besides the burden of coping with legions of angry victims, companies also suffer less-quantifiable costs in terms of damage to their reputation and credibility. For affected firms, the cost of dealing with attacks can quickly add up. eBay, for example, has more than 800 people in various departments — ranging from fraud investigation to customer service — dealing with business identity theft matters on a full-time or part-time basis.
Although eBay and most other high-profile phishing targets take a very proactive approach to the problem, the immediate reaction of many first-time victims of business identity theft is to make believe the incident never happened or to keep it a secret. Such approaches are doomed to failure, however, since innocent consumers are left in the dark and the problem is just likely to recur and grow. “Businesses have to be open and forthright about these incidents,” says Frank Abagnale, the former identity thief and current security consultant whose fictionalized exploits were the subject of the recent Steven Spielberg movie Catch Me If You Can. “I encourage companies to be honest about the problem and immediately notify their customers,” he says.
When Abagnale client Discover Business Financial Services was alerted to a phishing attack on its Discover Card customers last year, the company launched an immediate information campaign. “Discover told its customers:, ‘If you receive an E-mail like this, please notify us immediately so that we can check your account, put a flag on it or do whatever it is that we need to do,’ ” says Abagnale. “Discover did the right thing; they confronted the problem head-on.”
Hooking the Phishers Themselves
Since phishing expeditions can recur over weeks, months or even years, most companies that suffer an attack want to catch the responsible individuals as soon as possible. But apprehending a phisher is not unlike trying to land a wily trout — both creatures tend to be slippery and are adept at hiding in shadowy places.
In response to the growing number of attacks, law enforcement agencies are starting to give phishing cases a higher priority. “Law enforcement has been stepped up and has become aggressive in fighting this fraud,” says Tim Mohr, a senior manager with New York-based FirstGlobal Investigations, a division of accounting firm BDO Seidman. Mohr notes that the Federal Bureau of Investigation, the Federal Trade Commission, and the U.S. Secret Service have all begun targeting business identity theft crimes. “The most active law enforcement agency is the U.S. Postal Inspection Service, which has been able to use the mail and wire fraud statutes to prosecute,” he notes.
While U.S. law enforcement agencies are becoming more responsive, phishing is a problem that extends far beyond the nation’s borders. Thanks to the Internet’s international scope, business identity thieves can work from almost any spot in the world. Russia, Eastern Europe, and Asia are all major phisher hotspots. Romania has been particularly active; so far, over 100 people have been arrested by Romanian authorities for phishing-related activities. Last September, the U.S. Secret Service and Romanian police apprehended a particularly notorious phisher: Dan Marius Stefan, who established an elaborate network of bogus Web sites and escrow accounts to fraudulently collect nearly $500,000 from eBay customers. Stefan is currently serving 30 months in a Romanian prison.
Although the Stefan case and several other isolated arrests and convictions have made headlines, phisher arrests and convictions remain rare. “Few legal remedies are available to a company that has been victimized,” says Accenture’s Santoro. “Once the crime has been committed, loss recovery is extremely unlikely.”
Business identity theft needs to be an integral part of an enterprise’s comprehensive fraud detection and prevention program, says FirstGlobal’s Mohr. He suggests a multi-level approach to countering phishers and their data suppliers, including pre-employment and employment screening, ethics and integrity policies, training and awareness programs, an anonymous fraud hotline, employee education, and the creation of fraud investigation teams.
Companies are also banding together to share identity protection strategies. The Anti-Phishing Working Group (APWG) was formed last fall to serve as an information clearinghouse. The group’s 180-plus members include businesses, law enforcement agencies, technology vendors, and financial firms. “It’s a good sign that all the interested parties are joining together to fight this very serious problem,” says eBay’s Durzy.
Many companies are beginning to turn the tables on phishers by acquiring their own technical firepower. While it’s impossible to stop a phisher from stealing a company’s identity, an enterprise can at least take steps to stop phishers, employees, and former employees from breaking into corporate databases and stealing customer information. Companies such as Computer Associates International, Novell, and CoreStreet offer tools that are designed to protect business records. Additionally, by making subtle changes to their Web sites, such as adding digital watermarks, businesses can make it more difficult for phishers to set up direct copies of corporate sites.
Businesses are also starting to get help from software publishers and Internet service providers, which are beginning to offer consumer-targeted anti-phishing tools. EarthLink, for example, recently introduced ScamBlocker, a free program that’s designed to actively prevent its subscribers from disclosing information to phishers. With the software installed, users who click on an E-mail link leading to a known phisher Web site are instead redirected to an EarthLink security site.
Another anti-phishing program, available to users of any Internet service provider, is CoreStreet’s Spoofstick. This browser plug-in displays the real domain name of any site a user visits. So if a user clicks on a genuine eBay link, it will display, “You’re on eBay.com.” Click on a phisher link and the software displays something else — the site’s genuine domain name.
While software may help slow the phishing tide, technology alone isn’t unlikely to eradicate the problem. “There’s not a canned or off-the-shelf solution,” says Accenture’s Santoro. “Going out and buying a piece of software will not fix the problem,” So, like spam and viruses, phishing will probably be around for years to come, perhaps forever. “That’s a disquieting thought,” says Abagnale. “But it’s also a call to action for businesses that cherish and want to safeguard their identities.”
John Edwards is a freelance writer based in Gilbert, Arizona.