Search
Advertisement

Business

Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Threat Intelligence / Preparedness

Combating Online Fraud

By Tom Schmidt

What was once a trickle has turned into a flood.

Today, thousands of online fraud attacks are being perpetrated on the customers of financial institutions, with the result that online fraud seriously threatens the brands and reputations of these enterprises, not to mention the confidence of online consumers. Recent reports paint a grim picture: according to the Anti-Phishing Working Group, the number of unique phishing attacks rose from 116 in December 2003 to 1,422 in June -- a 12-fold increase in six months. Moreover, these attacks are expensive; Gartner Inc. estimates that phishing schemes alone have cost banks $1.3 billion.

Insidious techniques

Using techniques such as brand spoofing and phishing, criminals routinely convince unsuspecting online consumers to surrender passwords, account numbers, Social Security numbers, and other personal information. In many cases, this has led to a rise in the already burgeoning problem of identity theft.

  • Brand spoofing  Brand spoofing occurs when the perpetrator sends out legitimate-looking email that appears to originate from large or recognizable companies. Brand-spoofing emails include deceptive content in the body of the message, fraudulently using the spoofed company's logo or convincing text that appears to be legitimate. By hijacking brands, scammers can attract the attention of customers and potential customers of the company. Some emails are so convincing that even savvy users are unable to discern the difference between brand-spoofing email and legitimate communication from the company.

  • Phishing  Of course, for perpetrators of online fraud, brand spoofing itself isn't the goal. The payoff occurs when recipients are fooled into providing personal and financial information. The term for such malicious attempts to collect customer information for the purpose of committing fraud is "phishing" (pronounced "fishing"). In some cases, phishing is accomplished by directing customers to a fraudulent Web site that appears to be legitimate. This site includes instructions or forms that allow the scammer to obtain bank account numbers, addresses, and Social Security numbers -- all the data necessary to commit identity theft.

  • Identity theft  Brand spoofing and phishing are likely to exacerbate what was already a pressing problem for many customers of companies in a range of industries, including financial services. Identity theft is the number one concern among consumers contacting the Federal Trade Commission. Two studies completed in June 2003 by Gartner Research and Harris Interactive found that approximately 7 million people were victims of identity theft in the previous twelve-month period -- a significant increase from the previous year. The aftermath of identity theft includes an average of 600 hours per victim to recover from the crime, at a huge cost in lost potential income. Moreover, a 2003 report concluded that business losses range from $40,000 to $92,000 per name in fraudulent charges.

A clearer picture emerges

Thanks in part to the efforts of organizations such as the Anti-Phishing Working Group, a clearer picture of these online threats is beginning to emerge. For example, customers of companies in the financial sector (led by attacks on Citibank and U.S. Bank) and the online retail sector (led by attacks on eBay and Paypal) are most often attacked. (Citibank customers alone were the target of 492 separate attacks in June.) Also, phishing Web sites have short lives, with an average lifespan of 2.25 days. About one-quarter of phishing sites are hosted on hacked Web servers. And almost all phishing Web sites (94 percent) enable their developers to remotely download captured personal data.

Scope of the threat

While the direct costs of these new threats have been variously estimated, no report has taken into account the indirect costs that are also sustained by financial institutions. Consider: customer trust forms the foundation of the financial services industry. Without this fundamental underpinning, the entire financial services model breaks down. Customers must be able to trust their financial institutions to protect their privacy and ensure the accuracy of transactions. Phishing attacks threaten this consumer confidence by undermining their trust in online transactions. That's why many industry observers view phishing as nothing less than a primary threat to the future of online banking.

Consider, too, that customer service and support costs rise as a result of the flood of services center calls received from customers, as they try to verify the legitimacy of emails they have received or try to recover from the theft of their identity.

Fighting back

With reports suggesting that a significant percentage of online banking customers are changing their behavior as a result of phishing attacks, what steps can financial institutions take to mitigate online fraud? A multi-pronged approach is called for, including these components:

  • An email fraud detection, filtering, and alerting network

  • Online customer education

  • A desktop security assessment capability for customers of financial institutions

  • The means for customers to acquire the products and services needed to improve their level of protection

Central to the success of any anti-fraud program is the ability to intercept fraudulent email before it reaches the mailboxes of potential victims. In broad outline, this means working with ISPs and monitoring the Internet for fraudulent email, identifying fraud attacks, and deploying anti-fraud rules in the form of continually updated filters that block fraudulent messages from reaching consumers. Financial institutions must be promptly alerted when an attack is under way so that they can set in motion incidence response procedures.

It should be pointed out that, unlike spam, fraud attacks can be difficult to detect without expert inspection and detection algorithms. An anti-fraud program needs both human experts and technological means to identify fraud attacks at their earliest stages. In addition, financial institutions need a mechanism for gathering information on email fraud perpetrators that aids the prosecution of offenders and the protection of legal rights to brand, trademarks, and other intellectual property.

Education, desktop security assessment, protection

Like many other online threats today, online fraud continues to evolve. For that reason, ongoing customer education is critical to helping consumers change their behavior to prevent online fraud. Alerting customers of the latest security threats and providing information on how to protect against them is the first step. Educational articles, expert advice, and real-time security alerts should also be considered.

An effective anti-fraud program will enable customers of financial institutions to identify the weak points in their desktop security through an online security assessment. Such an assessment should check for: hacker exposure, Windows vulnerabilities, Trojan horses, antivirus products, and virus protection updates.

Finally, an anti-fraud program must enable customers of financial institutions to purchase or download products and services identified in the assessment.

Conclusion

Call it the new face of online fraud. Where hackers once sought notoriety for defacing or crippling a popular Web site, today they are motivated by a more lucrative principle: profit. And, increasingly, they're finding the funding to carry out their scams. As Richard Clarke, the former White House chief advisor for cybersecurity, has observed about today's online "bad guys":

"At the bottom of the spectrum are those who are just showing off. All too often they turn out to be teenagers who are doing the equivalent of 'joy riding' in cyberspace. But the next level up are people engaged in fraud and extortion."

An effective anti-fraud program will help protect financial institutions and their customers from these bad guys. At the same time, it can help protect their brand and reputation and preserve customer trust in online transactions.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.

CIO Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Spam and Viruses
Preparedness
Strategies
Related Content

Features

View More


Metrics

View More

Fast Fact

"Where hackers once sought notoriety for defacing or crippling a popular Web site, today they are motivated by a more lucrative principle: profit."
Source: Symantec
Sponsor Tools

Resources

White Papers

View More


Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Risks of Wireless Email
Playtime: 8 min 23 sec



Download | Subscribe

Copyright © 2008 Studio One Networks. All rights reserved.

© MMVIII Sacramento Television Stations Inc. All rights reserved.