Web Sites Get Tough on Fraud
Dec. 23, 2004 — -- Last year if someone mentioned "phish" at a holiday party, the conversation that followed would have probably been about music, not a harrowing tale of online identity theft and consumer credit fraud.
Oh, what a difference a year makes.
An estimated 57 million online adults in the United States will have received "phishes" -- e-mails that pose as official missives from a bank or online store in order to trick readers into divulging personal financial information -- in the course of 2004.
Such fraudulent e-mails are expected to account for roughly $1.2 billion in losses -- a tiny drop of the estimated $60 billion in total losses due to all forms of identity theft. But it's also a figure that has caught the attention of online retailers and e-commerce sites. And it's spurring them to action.
Web retailers, banks and credit card issuers have been testing new technologies to combat online scams. But as security experts note, fighting phish and other forms of electronic fraud isn't just a simple matter of adding new technology. It's a matter of rebuilding trust with the online community.
Tainted Trust
"Part of the problem with phishing, from the corporate standpoint, is that the fraud is occurring away from the [official Web] site," said Mark Rasch, senior vice president and chief security counsel of Solutionary Inc., a managed security company in Omaha, Neb. "It's someone pretending to be you."
Early online con artists used e-mails disguised as official messages from Net giants such as eBay because they were easily recognized and trusted by Web surfers. Customers of the online auction site were used to seeing e-mails from the company touting changes to the site or reminders about their personal account status. And for scammers to create a bogus e-mail or Web site that duplicated the same "look and feel" as the originals is, say experts, practically child's play.
"It's almost a trivial matter," said Rasch. Web sites "transfer all the identifying information that says [this site is] Bank of America or Bank of New York to everyone that goes to those sites."
By copying that data, scammers can easily create clones of major online sites on their own Net servers to fool unsuspecting surfers. "Even an average journalist can create [a fraud site] in a matter of a few minutes," said Rasch.
Knowledge Is Power
With such sneaky online cloning technology out of their hands, scam-savvy Web companies have realized the most effective defense is to keep their customers informed.
"Education is key," said Hani Durzay, a spokesman for eBay. "The person who lost their information through phishing has willingly given up that information. ... The best way to stop phishing from being an issue is to make sure that our community of users don't fall for it."
The online auction house, as well as financial institutions and the Federal Trade Commission, have created educational Web sites that highlight how phishing scams work and what telltale signs to look for. More importantly, much of the consumer-oriented education stresses an important reminder: Legitimate online companies will never ask customers to reveal personal financial and identification data via e-mail.
But educational efforts are seen only as part of the solution.
Time to Tool Up
"We are relying in part on users to become educated [about online fraud] and how it works," said Durzay. "But we also have to give them technology and tools."
For example, many Internet service providers such as AOL and Earthlink now offer antivirus and other online security programs as standard features for members. But even financial institutions are joining the tech bandwagon.
Last month, Citigroup began offering its online Citibank customers access to anti-spyware -- a program designed to spot hidden software used by hackers to track information on an unsuspecting user's computer.
"One thing people might not realize is that when they're online and get to a Web site with a pop-up window, it could be a phishing attempt," said Dan Drummond, a spokesman for Your Credit Card Companies, a credit card resource center established by several financial institutions. The pop-up, Drummond says, could try to install so-called spyware.
"That's why one of the things we tell folks is to have the most up-to-date anti-spyware and antivirus installed on their PC," he said.
Other Web companies offer even further tech tools to their customers. For example, eBay has a "toolbar" that works with Web browsers and warns members when they try to enter their eBay membership information at sites other than the official eBay site. The online auction site also recently released "My Messages," a free electronic in-box accessible only by the company so members can received important -- and verified trustworthy -- messages from eBay.
Better Mousetraps, Smarter Phishers
Increased education and better technology are certainly positive steps to combating con artists online. But security experts such as Rasch say that a third leg -- cooperative efforts among Web companies and law enforcement -- needs more strength, too.
"I know that there are people who are trying to trap the phishers," said Rasch. "Since the main mechanism [of spreading phish] is by e-mail and spam, one of the things they are trying to do is sign up for as much spam as possible so they can get at it early."
Once a phishing attack can be spotted, word can pass quickly among Web companies to shut down the bogus site and perhaps lead police to the actual perpetrator.
But Rasch notes that as companies and law enforcement take more active steps to combat online fraud, virtual con artists will evolve to newer tricks.
"Phishing fuels ID theft, which in turns fuels more phishing and they become more successful the more I know about you," he said. "So instead of saying, 'This concerns your bank account with Citi,' you get, 'This is about your Citi account number ending in 0004.'"
And keeping up with such developments in online fraud will be difficult -- just like with con games in the offline world.
"It's a cat and mouse game … criminal Darwinism," said Rasch. "We catch the dumb ones, leaving behind the smart ones."
And that is music to no one's ears.