Search:      heaven1580am.com  Web  Audio
Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Threat Intelligence / Preparedness

Educating Customers About Online Fraud

By Tom Schmidt

If you thought that perpetrators of so-called phishing attacks were standing still, you're in for a rude awakening. Consider:

  • According to the Anti-Phishing Working Group (APWG), more than 1,100 Web sites were used for phishing attacks in October 2004, up 110 percent from the 543 sites reported in September. Almost 6,600 different phishing messages were reported to the group in October. The number of unique phishing emails has grown an average 36 percent each month since July, a spokesman for the APWG said.

  • According to the Federal Trade Commission, more than 10 million Americans were the victims of identity theft in 2004, with an estimated 57 million Internet users receiving a phishing email.

  • eWEEK magazine reported that new attacks are not only circumventing the fledgling DomainKeys system but also using the technology to their advantage. DomainKeys, an email signing technology developed by Yahoo Inc. a year ago and deployed in November, is regarded by many in the security community as one of the best hopes for preventing spammers and phishers from forging email addresses.

  • In perhaps the most disturbing development, security experts now say that "blended phishing" attacks are on the rise. These attacks employ a trusted organization's legitimate site, rather than a mock site and a fake URL address. Specifically, they combine traditional phishing methods with a technique known as cross-site scripting, which can cause serious damage by executing illicit scripts on a victim's browser.

Phishing is a technique used by scam artists who send fraudulent emails to consumers in order to lure them to a Web site that appears to be the home page of a well-known institution. The emails instruct the consumer to leave account information on the site, which the scammers then use for identity theft.

Not surprisingly, the financial services industry has been hit the hardest by these scams. According to a recent report by Gartner Inc., phishing attacks cost banks and credit card companies $1.2 billion in direct losses in 2003. Increasingly, banks have tried to combat phishing by educating their consumers about "spoofed" emails, and some banks now include information about phishing on their Web sites and in monthly statements. But clearly much more needs to be done. Unless customers' security concerns are adequately addressed, the steady growth of e-commerce could be seriously endangered. Indeed, phishing attacks threaten to undermine consumer confidence in email itself -- the very bedrock of Internet-based communication.

Getting the word out

Lately, efforts to disseminate customer education have taken on a new urgency. For example, the Federal Deposit Insurance Corporation (FDIC) in September 2004 issued a detailed advisory to customers of financial institutions. Among its top recommendations:

  • Never click on the link provided in an email if there is reason to believe it is fraudulent. The link may contain a virus.

  • Do not be intimidated by emails that warn of dire consequences for not following their instructions.

  • If there is a question about whether the email is legitimate, go to the company's site by typing in a site address that you know to be legitimate.

  • If you fall victim to a phishing scam, act immediately to protect yourself by alerting your financial institution, placing fraud alerts on your credit files, and monitoring your account statements closely.

  • Ensure that your browser is up-to-date and the latest security patches are applied.

  • Report suspicious emails or calls to the Federal Trade Commission through the Internet at the FTC's Identity Theft Web site, or by calling 1-877-IDTHEFT.

The FDIC has also stepped up its guidance to financial institutions, advising them of the merits of educating customers about fraudulent schemes such as phishing, and how to avoid them. According to the FDIC, this can be done by providing customers with "clear and bold statement stuffers" and by recommending that:

  • A financial institution's Web page should never be accessed from a link provided by a third party. It should only be accessed by typing the Web site name, or URL address, into the Web browser or by using a bookmark that directs the Web browser to the financial institution's Web site.

  • A financial institution should not send email messages that request confidential information, such as account numbers, passwords, or PINs. Financial institution customers should be reminded to report any such requests to the institution.

  • Financial institutions should maintain current Web site certificates and describe how the customer can authenticate the institution's Web pages by checking the properties on a secure Web page.

The FDIC also urges financial institutions to incorporate notification procedures to alert customers about known email and Internet-related fraudulent schemes and to caution them against responding.

The ABA weighs in

Like the FDIC, the American Bankers Association (ABA) has also increased its education efforts lately both to member banks and consumers. Among the key messages the ABA wants banks to convey to consumers:

  • Check your credit card and bank account statements regularly and look for unauthorized transactions, even small ones. Some thieves hope small transactions will go unnoticed. Report discrepancies immediately.

  • When submitting financial information to a Web site, look for the padlock or key icon at the bottom of your browser, and make sure the Internet address begins with "https." This signals that your information is secure during transmission.

Also, this past July the ABA produced a Webcast specifically for banking executives. The Webcast addressed the most recent phishing trends and how to counteract them; how to help customers from being victimized; tips for putting together a process to answer customer questions and how to respond should a customer become a victim; and what law enforcement and regulatory agencies are doing about the problem.

Conclusion

For many financial services companies, the Web is a key channel for acquiring new business and mitigating costs for customer service. If consumers lose confidence in that channel, it will have a wide-ranging, negative impact on these companies' business.

That's why now, more than ever before, financial services companies need to educate their customers about pernicious phishing attacks. The stakes are just too high. For while consumers are clearly the obvious victims of this fastest-growing form of online fraud, phishing spreads the damage around -- hurting financial institutions' reputation and bottom line, and eroding consumers' confidence in the safety of e-commerce.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.

 

CIO Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Spam and Viruses
Preparedness
Strategies
Related Content

Features

View More


Metrics

View More

Fast Fact

"Phishing attacks cost banks and credit card companies $1.2 billion in direct losses in 2003."

--Gartner Inc.
Sponsor Tools

Resources

White Papers

View More


Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Risks of Wireless Email
Playtime: 8 min 23 sec



Download | Subscribe

Copyright © 2008 Studio One Networks. All rights reserved.

Washington DC Wedding
Find Bridal Jewelry, Bridal Shoes, Washington, D.C. Wedding Expo, and other wedding resources in the Washington DC area from PartyPOP.com