Over the past year, e-mail “phishing” scams have exploded in both frequency and media attention to become among the most urgent threats to online financial services. Phishing, which is used by criminals to convince individuals to reveal confidential information, leverages the Internet’s value as a low-cost and efficient vehicle for reaching consumers. Furthermore, the Internet has shifted aspects of the burden of security from the financial institution to the consumer, who is often ill-equipped to deal with the onslaught of new fraud schemes and the gaping holes in PC security.
Phishing exploits consumers’ willingness to cooperate with “security” directives and other requests purporting to be from their financial institutions. The genius of the phishing scam is that by impersonating a trusted financial services institution (FSI) or other trusted party in an authentic-looking communication that addresses a specific relationship with the targeted consumer, the phisher can convince the recipient to provide confidential consumer data, the scammer’s Holy Grail. Once this data is captured, the phisher can use it to make payments, access an account, transfer or withdraw funds, or perform other actions to completely take over the account and embark on a full-blown case of identity theft.
TowerGroup was provided access to a variety of data about phishing from multiple resources, including Internet service providers (ISPs), law enforcement agencies, and financial services institutions. Phishing This information enabled us to piece together a picture that is rich in detail yet debunks some of the popular myths about phishing.
Myth 1: Phishing scams have bilked unwary consumers out of more than $1 billion.
Truth: Controlling the direct fraud losses associated with phishing is a major concern. TowerGroup believes the actual dollar value of phishing-related fraud losses is far less than commonly cited. Direct fraud losses attributable to phishing totaled just $137 million in 2004. Phishing attacks can allow criminals to fraudulently obtain consumer data, but they do not always result in an actual act of fraud in which accounts are accessed or funds are stolen.
Other direct costs to FSIs are optional. These include the development of antifraud campaigns and marketing through alternatives, such as advertising campaigns, Web site materials, brochures, research, and both internal and external education presentations or initiatives. Direct costs also include the expense of licensing, implementing, and running an array of technology solutions designed to curtail data theft and fraud in various ways. TowerGroup estimates direct costs to FSIs totaled nearly $87 million last year, excluding the costs of reimbursing consumer fraud losses, which brings the total phishing-related direct costs to FSIs to more than $200 million in 2004.
Myth 2: Because phishing-related losses are less than losses associated with other types of fraud, there’s nothing to worry about.
Truth: While phishing attacks are successful in fooling only a very small fraction of the online population and are, to many consumers, little more than a nuisance, the growing issue of phishing has the potential to negatively affect consumer confidence in the Internet as a viable channel for commerce. Fortunately, phishing has not yet hindered the continued growth of online banking or bill payment, with several of the largest U.S. banks reporting double-digit growth. Likewise, e-commerce continues to grow.
Currently, the most effective deterrent to phishing is consumer education. Banks and merchants must make clear to consumers how they will and will not communicate with their customers, telling them how to detect fraudulent communication. Some organizations, including US Bank, no longer embed URL links within e-mail communications; instead, they simply direct consumers to their Web site for further information or action. US Bank customers can quickly detect a fraudulent e-mail communication claiming to be from their bank because the bank has warned them that a fraudulent e-mail will contain a link or request user name and password information.
Yet increasing consumer awareness of phishing is a double-edged sword. The more consumers know about phishing, the less likely they are to fall for phishing scams but the more likely they are to be wary of conducting business over the Internet. Raising consumer awareness is absolutely critical to combating this serious issue, but it must be done carefully so as not to create unnecessary alarm and negatively impact the continued use and adoption of the Internet channel. It is critical for the industry to approach and contain phishing in a manner that protects consumers and organizations and, at the same time, does not raise undue fear by exaggerating the actual threat.
Myth 3: Only larger banks with more recognizable brands are targeted in phishing attacks.
Truth: TowerGroup believes that phishing will morph into more intricate and targeted scamming techniques as phishers’ methods become ever more sophisticated and as phishers target their e-mail lists more accurately to customers of the specific financial institutions that their Web sites are spoofing. They could accomplish this by, for example, scanning legitimate “cookies” on a user’s PC. Because of improved targeting, the connection rate (that is, reaching actual customers with phishing e-mails) could rise from less than 1 percent to as high as 100 percent. Improved targeting and the increasingly advanced use of malware will significantly increase the efficiency of phishing attacks and will also create complex new variants that can be classified more accurately as “malware attacks” than as phishing. An example of the use of malware was recently cited in Brazil, where Trojan horse malware was e-mailed to a highly targeted list of recipients and resulted in millions of dollars in fraud. Fortunately, these criminals were caught, but the recovery of the stolen funds is still in question.