Phishing Phace-Off: Online Fraudsters and Vendors Do Battle to Gain Control of Electronic Information. Meanwhile, Incidents Rise and Consumer Confidence Suffers

The fast-growing online fraud with the funny name--phishing--is anything but a laughing matter for bankers. Unique attacks jumped 4,000% in the last six months with a particularly disturbing spike in April, putting many in the financial services industry on guard. And, while hard to trace, there is indirect evidence that payout to criminals is getting more substantial as phishing graduates from a pesky way to get free services to yet another method of wrangling personal information. With phishing, pretext e-mails are sent to consumers by the millions. Legitimate addresses are either purchased on the "cyber black market" or parsed together by programs that randomly combine common last names and first initials with common domains: resulting in, say, lsmith@hotmail.com. By random probability, some "phish mails" will happen to correspond with legitimate addresses where the user has a bank account (or with other e-commerce sites where passwords are required), notes Jim Maloney, chief security executive with Corillian Corp., Hillsboro, Ore., which offers an antifraud solution that can monitor phishing attacks. Each "phish mail" contains links to unauthorized web pages, created by criminals, that ask for personal information such as Social Security numbers or passwords. (In a newer variant of attack, fraudsters place "spyware" in the phish mail which scans the desktop. This gives criminals, in effect, a window into a user's keystrokes). Phishers make use of "pop ups" and "pop under" pages by manipulating HTML code to appear authentic, says Michael Sippey, managing director with Quris, an e-mail consulting and technology company in Denver. "Both superficially [in terms of how text and images appear] and at the code level, these web pages look more and more real. In effect, they've been copied with only minor changes," notes Ben McBeen, a network engineer with $390 million assets Plumas Bank, Quincy, Calif. With a low percentage of internet users and rural operating footprint Plumas has been spared, so far. Yet some of its employees with accounts elsewhere have been targeted, McBeen notes. "One co-worker got an e-mail claiming to be from a major institution telling her that a suspicious transaction had occurred on her account," says McBeen. "We did an analysis of the e-mail for her using our e-mail detection solution and showed her that, had she clicked on the link and followed through, it would have passed her information to an unauthorized third party." Looking good and hard to trace Who has been the victim of phish mail? Citibank for one. Probably because of its huge consumer base and high visibility it was the financial institution with the highest level of reported attacks, according to information collected by the Anti Phishing Working Group, a new organization that researches attacks and issues trend reports. (www.antiphishing.org) In May, APWG noted that Citibank was the victim of 370 unique attacks (that is, the bank's brand was hijacked that many times by various third parties with criminal intent.) This was down from an April high of 475 but was still a huge number, considering that in December of 2003, only 17 such attacks had occurred. Citibank, however, isn't alone. APWG has cited as victims U.S. Bank, Visa, Lloyds, Barclays, Bank One, Chase and others--23 known institutions or Fortune 500 companies in all. Attacks of some sort are occurring on a daily basis, and anecdotal evidence indicates that they may be trickling downstream as bigger banks begin to shore up defenses. Why is phishing gaining traction? For one thing, it's easy for the perpetrators to be, and stay, anonymous. Made possible by the relative ease with which e-mail messages can be spoofed or faked, phishing requires professional sleuths--the FBI, Secret Service, and tech forensics experts--to trace phony phish mails to actual fraudsters. …