Return to the list of news releases.

I Once Caught A

Release Date: 6/4/2009

By: Tom Hagin, Senior Solutions Executive

Firewalls, intrusion prevention systems, multi-factor authentication, security event information monitoring. All of these modern-era security technologies are no match for a profit-driven phishing criminal armed with a computer, an internet connection, a telephone, and a small amount of know-how. So it seems almost comical that the enormous sums of money spent on IT security hardware and software to help slow data theft is contrasted by the minimal investments organized crime needs to set up a lucrative scam. But rest assured, there are ways to make sure that big ‘phish’ doesn’t get away.

A May 2009 article on the website Hacker’s Lounge shows how easy it is to create a simple phishing web site for free. Compare the world’s cybercrime business, a one-trillion-dollar-plus industry, to the labor-intensive illegal drug trade it has recently surpassed in profitability and you’ll understand the motives behind the attacks.

According to the May 2009 Industry Advisory by the Anti Phishing Working Group (APWG), in the second half of 2008 there were:

• At least 56,959 phishing attacks; up from 47,324 in the first half of 2008
• Those attacks occurred on 30,454 unique domain names 
• Average uptime was 52 hours

Web Phishing and Phone Fraud are both examples of social engineering. Phishing draws a potential victim to a fraudulent web site via e-mail or other electronic means. Phone fraud can include direct phone calls, recorded messages, or text messages asking for information such as social security numbers, account numbers, and personal information numbers (PINs). Some attacks use the Public Telephone Network; others use the Internet to deliver the scams. The sad part is, even though phishing and phone fraud is widely publicized in multiple media outlets, victims falls for the scams each day and your financial institution is left holding the bill.

According to the May 2009 report just released by Massachusetts-based RSA, the Security Division of EMC, the number of phishing attacks is the highest it’s been since June 2008. In the United States, credit unions were the target of 22% of the attacks, down from 38%. Regional banks accounted for 56% of the total, and nationwide banks were targeted 22% of the time. And while protection methods from the scams are different, both rely on technology and good old-fashioned expediency to lessen the impact.

Dan Jones, an industry expert on anti-phishing tactics, suggests: “Faster takedown times mean you are a less desirable target…quick takedowns will oftentimes send the criminals to greener pastures. As for proactive phone fraud detection, to offer a credible detection service for phone based fraud would require having a phone number in every exchange in the U.S. Given this, one of the best sources of detection is an institution’s own customers, employees, and good citizens at-large.”

RSA also said in its new report that it has identified a new tool that allows online fraudsters to validate and check for free the accuracy of compromised credit and debit cards. Called a “card checker,” it allows cybercriminals to “directly exploit an online merchant’s AVS check and enables compromised payment cards to be checked simultaneously.”

As long as your members and customers fall for the fraudulent schemes, it’s unfortunately not possible to completely prevent phishing and phone fraud. The APWG in its June 2009 report entitled “What to Do If Your Website has Been Hacked by Phishers” suggests keeping the following suggestions in mind when handling phishing and phone fraud.

• Obtain as much information from the reporting party as possible
• Have a well-documented incident reporting procedure
• Management and legal counsel are best suited to prepare and coordinate external reporting and notification to response teams
• Be prepared to provide all relevant information, such as logs from your web server, firewall, and operating system 
• Save a copy of the phishing site pages and any unauthorized content
• Don’t wait for an incident to archive your authentic content

The APWG strongly encourages web site owners to report the phishing URL to the APWG via e-mail at reportphishing@antiphishing.org. Reporting to this address will cause most anti-phishing organizations to receive a notification of the phishing web site. Security products, e.g., anti-phishing toolbars, will be updated with the offending URL, thus offering protection to thousands, if not millions, of potential victims. This is not unlike your customers, members, and even those that don’t bank with you, who provide timely alerts to your institution so you can respond to attacks. HEIT can also help your institution battle phishing and phone fraud. Email info@goheit.com learn more about our available resources and to request a copy of our solutions sheet.

Return to the list of news releases.