Experts struggle to fight online 'phishing' schemes
Traditionally, phishers have targeted the customers of major institutions, like big banks, or shopping sites like eBay, or PayPal.india Updated: Mar 19, 2006 11:54 IST
The e-mails look real. A bank needs to "verify" your account information. An online payment service urgently warns about "unauthorized" access to your account.
But those who click on the links and enter their data may end up being a victim of one of the fastest-growing and most insidious fraud schemes in cyberspace, known as "phishing."
Even though the scam has been around for over two years, security experts say it is still growing and become more sophisticated.
One survey by First Data Corp last year found 43 per cent of US adults had received at least one of the bogus e-mails. Of those, about one in 20 -- or 4.5 million people -- provided the requested information, and about half of those end up being victims of theft or identity fraud.
Many US victims end up handing over their social security numbers or other personal information that can be used to open bank or credit accounts or other types of fake identity.
"Victims report an average loss of $600, but if their social security number is compromised, the damage is much more profound," said Susan Grant, head of the National Consumers League's fraud information center and a participant in a recent summit of technology firms, financial institutions and others aimed curbing phishing.
The gathering of over 30 experts from organizations and companies including Microsoft and American Express focused on methods of "authentication," or allowing a user to be able to tell if an e-mail or website is bogus or not.
But authentication technology requires a considerable amount of cooperation and will take time to implement.
"It has to be secure by design, so grandma doesn't have to be a computer expert," said Peter Swire, an Ohio State University law professor involved in the anti-phishing gathering.
"It is clear the phishing is still increasing," Grant said. "There is no silver bullet to deal with the phishing problem, but there are promising new approaches."
A report by security firm Symantec found that during the last half of 2005, 7.92 million daily phishing attempts were identified, an increase over the 5.70 million attempts per day in the previous six months. Symantec expects even more growth in this type of scam.
This and other forms of cybercrime "represents today's greatest threat to consumers' digital lifestyle and to online businesses in general," said Arthur Wong, vice president of Symantec Security Response.
Traditionally, phishers have targeted the customers of major institutions, like big banks, or shopping sites like eBay, or PayPal, the giant online payment facilitator. But in another new twist, called "puddle phishing" or they are now going after the customers of regional banks or credit unions. Targeting small groups or individual companies is known as "spear phishing."
The proliferation of such fraud has implications for the Internet overall and e-commerce in particular.
A Consumer Reports survey conducted in late 2005 found nine out of 10 US Internet users over 18 have made changes to their online behavior due to fear of identity theft -- with 30 per cent cutting back their overall use of the Web.
Another survey by eMarketer estimates that over a third of US Internet users do not buy online, mainly due to concerns over the security and privacy of personal information.
Grant said some surveys indicate consumers may be cutting back on Internet banking because of growth in phishing schemes that makes it hard to tell legitimate from bogus websites.
"If people lose confidence in the Internet, the channel will not continue to grow and we will not experience the productivity gains we have seen from the Internet," said Doug Johnson of the American Bankers Association.
Phishing is a global problem as well, since many of the schemes originate from outside the United States or target people in other countries, experts say.
One scheme targeting US customers of Chase Manhattan Bank was linked to a server of a Chinese bank, according to some experts.
"So many of the attacks originate from outside the United States, so we need cooperation from our international partners," said Ron Layton of the US Secret Service.