With online fraudsters becoming increasingly resourceful, firms with web exposure must tackle them head on, says Charlie Abrahams of MarkMonitor
The massive growth of online commerce over the last decade has led to a commensurate explosion in the number of fraudsters trying to take their cut and a huge increase in the methodologies and ingenuity they employ to get it.
The number of ‘phishing’ attacks on
What is ‘phishing?
But what exactly is ‘phishing’ and what can companies and individuals do to avoid falling prey to these sophisticated criminals?
Phishing is the name given to a scam whereby emails claiming to be from your bank or financial institution are actually sent to you by criminals trying to access your bank details or identity information. These emails typically urge you to click on a link that takes you to a fake website that looks identical to the one you would expect to see. That site then asks you to verify or update your personal security information but, in so doing, you are actually giving your information to the imposter who has created the fake website. He then sells your details to other criminals who access your online bank account and take your money or takes the money himself.
Whilst this has an enormous impact on the individual who has been phished, the repercussions for the financial institution that has been impersonated are massive and the costs they have incurred in a bid to halt these activities are unsustainable. Many high street banks have had to spend a great deal of money on new security measures, such as the new hand-held card readers that now have to be used when making electronic payments.
Targets
In its most recent Brandjacking Index, MarkMonitor calculated that phishing attacks on the financial services sector rose by 51 per cent during the second half of 2008; it also recorded an increase in the breadth of institutions phished, with nearly 450 new targets hit during the year. As the main high street banks have insulated themselves with new security measures and increased their customer education over the last three years, the fraudsters have moved on to look for new, less well-armed prey.
The most obvious targets are the next tier of financial institutions – the US Credit Unions, Spanish Caja’s and UK Building Societies – these have been among the first institutions to find themselves subject to similar tactics. Phishing scams have also spread to other online environments where cash and credentials are involved, such as gaming, government revenue services, recruitment and even social media sites.
The success rate of these scams depends largely on the consumer being fooled or panicked into clicking through to a site. For this reason, user education has been high on the agenda of most financial institutions as they seek to drive more transactions online, and it is clear that as “phishing” has increasingly become common parlance, so the hit rate of simple “urgent: your password is about to expire” style scams has fallen.
Types of scams
However, just as the phishers have moved on to more vulnerable targets, so have they responded to a more sophisticated public by inventing ever more resourceful ploys, a couple of which are outlined below.
Mortgage scam – essentially, another email-delivered fraud but designed to appeal to a more general audience where mortgages are offered at attractive rates with “instant availability”. A link is provided to a site with an online application form, branded as a well-known lender. The “form” leads the individual to give up all sorts of credentials information such as bank sort code, account number, date of birth, etc. This does not have to be a mortgage but could be any sort of loan or offer that requires personal details. Obviously mortgages are particularly good phishing bait right now, while they are harder to obtain than before.
Voice phishing (Vishing) – there are many variants and they are developing all the time, but vish essentially involves a call, either from a human operator or an automated calling system, hence the name. They may be as simple as someone claiming to be your bank and having the audacity to check YOUR credentials before taking the conversation further, such as asking for your account name, date of birth, mother’s maiden name and so on. Alternatively, they may involve a message requesting a call back to a number in order to “revalidate your account”, that number itself being a fake bank call centre which then gathers your details in a similar fashion.
Both the mortgage scam and vishing aim to apply a variation of a psychological twist; in one case, something attractive is offered up and in the other, the recipient is caught off guard by the immediacy of the situation – it is much more difficult to ignore a telephone call than an email.
With the strategic imperative for financial institutions to cut costs becoming ever more urgent, the relevance – and risks – for the online channel is growing dramatically. Given that fear of fraud is one of the biggest inhibitors to customer adoption of the medium, the cost of failing to secure the online environment is far greater than the simple cash losses incurred.
Phishing – some guidelines for institutions and consumers
Institutions: any financial institution with an online presence should anticipate phishing and other online scams, even if they are not affected today. This means developing an online brand protection strategy to include:
Consumers: be alert to the risk in any email communications, whether personal or commercial. In particular:
Case study –
The Nationwide is one of the
The problem
When phishing first began to gain momentum, Nationwide was among the leading targets for fraudsters who began using them as a “test bed” for their online scams. Nationwide monitored the situation closely and noticed a rapid rise in phishing attacks – up from two or three per month in 2005 to more than 100 per month in 2006; in one month alone, they monitored 288 such attacks. As a consequence, the Nationwide almost became overwhelmed by the work required to track cases, shut down illegal sites and take action against offenders.
“It became extremely difficult to shut down phishing sites quickly enough to prevent damage as well as cope with the number of incoming emails from customers reporting phishing attacks or suspicious-looking websites,” says Peter Corrie, head of strategic fraud initiative for Nationwide.
“With each attack costing the organisation significant amounts, the problem was eating away at the bottom line. It was also diminishing customer trust and eroding brand equity. Nationwide needed an automated system for identifying online scams and taking action against offenders.”
The solution
In order to tackle the problems created by online fraud, Nationwide developed its own strategic fraud initiative, presenting a unified organisational strategy and team to identify and stop fraud. A key part of its initiative was embracing and adopting a fraud prevention programme developed by enterprise brand protection specialist, MarkMonitor.
“We selected MarkMonitor for its leading fraud prevention technology and global site shutdown services,” says Corrie. “With online fraud increasing exponentially each year, it is paramount for organisations like ours to tackle the problem head-on, in order to minimise revenue losses and protect our members.”
By automatically shutting down dozens of phishing sites every month, the MarkMonitor anti-phishing solutions delivered ROI in just three months, eliminating the huge monthly costs associated with trying to address the actual phishing scams.
“From start to finish, the implementation took only ten days – it was completed on Friday 13th!” recalls Corrie. “That very weekend, a massive phishing attack was launched against us but was shut down by MarkMonitor.”
Within a few weeks of deploying the new system, Nationwide was also able to clear a backlog of 50,000 customer emails and get its phishing problem under control.
“We have seen phishing attacks steadily decrease since deploying the anti-phishing technology,” says Corrie. “Offenders are getting the message that we have a great defence mechanism in place.”
Date: 13th, May, 2009
ADVICE TO READERS
While this website is checked for accuracy, we are not liable for any incorrect information included. We recommend that you make enquiries based on your own circumstances and, if necessary, take professional advice before entering into transactions.
Enter your postcode here to find out how much your property is worth, based on Land Registry data.
RSS Feed
Delicious
Digg
reddit
Facebook
StumbleUpon