Phishing Email Fraud Attacks Up 50% - How to Protect Your Brand


By Contributing Editor Janet Roberts

Although your Web site may be ultra-secure to protect your
customers' credit card data and other personal financial
information, your biggest threat can come from a criminal who won't
even try to hack your database.

He doesn't have to. He can just get your customers to hand over that
information by impersonating your brand in bogus emails. (Link to
samples below.)

The scam is called "phishing," and it's the fastest-growing type of
Internet fraud. This February a reported 282 phishing campaigns were
sent to millions of consumers -- a 50% increase from January. And,
judging by our in-boxes, the trend's continuing to grow.

Major online brands such as eBay (the No. 1 target), AOL and
EarthLink, along with financial institutions and government agencies
are the main targets; but, the scam can also affect any
household-name brand that stores personal information for a
subscriber, client or customer base on its Web site.

How to keep your customers and your brand as safe as possible?
Develop a rapid-response, multi-channel strategy to minimize the
damage, both to your customers and to your own brand. (Keep reading
to see what eBay does to help users thwart identity-theft attempts.)

You don't have to wait for an anonymous scammer living halfway
around the world to find you, either. A disgruntled employee with
access to a recent subscriber or customer list can do as much damage
-- maybe more.

The more your customers love and trust you, the more likely they
might believe an official-looking email asking them to re-enter or
verify credit-card and bank accounts, passwords, even Social
Security numbers at a Web site that looks a lot like yours.

The good news is that a whole anti-phishing movement has sprung up
since the first scams surfaced in early 2003. ISPs, Internet
companies and the U.S. government are mobilizing an all-out attack
on several fronts, including education, technology and shared
information.

Advanced email technology that verifies a sender's identity will
probably be the only reliable way to thwart phishing. Until it
becomes an industry standard, education and awareness are your best
weapons.

Baiting the Hook

Phishers get their victim lists the way spammers do: buying,
harvesting or stealing millions of email addresses. Somewhere in
those millions are lots of people who pay AOL or EarthLink to host
their Internet access, buy and sell on eBay, or have a Fleet or
Citibank credit card.

Then, they get a domain name that's one or two characters off from a
legitimate one. They lift logos and create a Web site that looks
just like the real one, and send out authentic-looking emails, in
text or HTML, warning users to verify information or risk losing a
service.

Early sites and emails were pretty crude renditions. Today, many are
almost undetectable. Typos can still give it away; one recent
email's subject line said, "Citibiank ONLINE Veerification."
As with spamming, just a few responses can give a phisher all the
information he needs to deplete bank accounts and ruin credit and
lives.

Are You Getting Phished?

Most companies find out when a customer or subscriber calls about a
suspicious email or if one goes to special email addresses set up to
catch spam and viruses.

If it happens to you -- better yet, before it happens -- you must
act fast. Post a message on your Web site, contact the ISPs involved
and federal law enforcement (number below) and alert all
customer-contact people.

What you shouldn't do: Send out an email message to your house list
warning people not to respond to emails asking for sensitive
personal information.

"Unless an email is digitally signed, your customers have no way of
knowing that the email message was not spoofed or forged," said Dan
Maier of the Anti-Phishing Work Group, an industry group working to
educate email users on phishing scams and to develop effective
countermeasures.

eBay's Answer: Education, Technology

The Internet's top auction site is a juicy phishing target,
attracting 104 of the 282 attacks reported in February 2004.

It also has developed one of the most comprehensive defenses against
phishing (or "spoofing," another term for the scam and the one eBay
uses), using both real-world and online channels to warn and educate
users ("community members"), working with law enforcement to catch
scammers and making it easy to report suspected spoof emails.

When a community member reports a spoof, the company investigates
it, works with the corresponding ISP to get the site shut down, and
adds the site to an internal blacklist. It also has worked with
federal law enforcement, most recently in a Secret Service case
involving Romanian spammers.

Last fall, the company opened a comprehensive online security
center, which includes a tutorial on spotting and reporting suspect
email and Web sites.

It also recently launched its new eBay Toolbar (PC only), which
flashes red when a user wanders onto a blacklisted Web site and
prompts a pop-up box if the user is about to enter an eBay password
on a non-eBay site.

In-person "eBay University" seminars also include anti-spoofing
information.

"We see more and more people sending in emails that are spoofs,
which is a good sign," eBay representative Hani Durzy said. "We're
seeing more discussion on our chat boards, where members will
educate each other. They'll post copies of emails and ask if they're
legitimate. There's a real sense of community vigilance."

Five Steps to Fight Back

Set up a pre-emptive strike force with at least one rep from IT,
corporate communications, Web site design, customer service, and the
email team. You'll need to develop a policy or procedures for
tracking and dealing with spoofs or phishing attacks, before your
need it.

This list of tactics is based on what other companies have used to
battle phishing attacks:

1. Post a prominent notice at your Web site, warning recipients not
to respond to suspicious emails or click on links. Some sites use
pop-up boxes with a warning, a link to a reporting site and
instructions.

2. Set up a dedicated, easy-to-remember email address where
recipients can sent suspect emails. Include that address on billing
statements or other paper communications so that customers can trust
it comes from you and not a scammer. Tell people how to report
emails with full Internet headers so that you can trace the email as
closely as possible, even though some of the information probably is
forged.

3. Notify your IT staff to begin the investigation, and alert your
email broadcast vendor, the sending ISP and the site host, to try to
get the scammer's site shut down.

4. Train all call-center and customer-contact people in what to tell
callers who report suspect email and how to pass it on for
investigation. Or, designate one or two people in your organization
to handle all calls and media questions.

5. In the United States, report the scam to the Internet Fraud
Complaint Center (number and Web site in resource list below). This
is a joint agency of the Federal Bureau of Investigation and the
National White Collar Crime Center, or report it online. You can
also call the Federal Trade Commission's toll-free reporting line or
use its online form.

Resource list:
1. Samples of a phishing email to defraud FleetBank customers, sent
March 30th, plus Fleet's excellent on-site warnings to customers:
http://www.marketingsherpa.com/fleet/ad.html

2. eBay's Security Center spoof tutorial:
http://pages.ebay.com/education/spooftutorial/

3. Anti-Phishing Working Group (free basic membership; participation
membership starts at $250). Whitepapers, reports, latest news,
statistics:
http://www.antiphishing.org/