The BankWorld 2006 conference was held last week at the Crowne Plaza Hotel in Cromwell, Conn. The event was organized by the Connecticut Bankers Association and The Warren Group, parent company of Banker & Tradesman.
Just as financial institutions are starting to catch up with and educate customers about traditional phishing attacks, sophisticated software that allows fraudsters to steal personal information with a few keystrokes and more targeted attacks of banks and credit unions are making it easier for criminals to steal people’s identities.
Phishing, a type of scam that uses spam e-mail to “fish” for consumers’ personal information – such as account numbers or Social Security numbers – is often thought of as a technical crime, when in reality it is just a more efficient way of stealing information than snatching a purse, according to James Brooks, senior product manager of Arlington, Va.-based Cyveillance. Brooks spoke to a crowd of bankers last week at the BankWorld 2006 conference at the Crowne Plaza Hotel in Cromwell, Conn. The annual conference is organized by the Connecticut Bankers Association and The Warren Group, parent company of Banker & Tradesman.
“Everybody thinks of [phishing] as a technical crime,” Brooks said. “It’s not. It’s ID theft.”
Most phishers are trying to get credit card numbers or bank account numbers, he added.
“At the end of the day, they just want something of value,” Brooks noted.
But sometimes they try to gather other information, like Social Security numbers, which will allow them to apply for loans under someone else’s name.
In many cases, even the use of sophisticated software that logs keystrokes or somehow tracks information entered online does not take that much technical know-how, Brooks said.
Some of the current trends include phishers targeting smaller financial institutions, which often do not have as many anti-phishing protections in place as do bigger banks; sending e-mails to lure people to more professional-looking Web sites in hopes they won’t think twice before entering the personal information requested; and using malware and crimeware, or malicious and criminal software.
Malware and crimeware are a sneakier way of stealing personal information than is traditional phishing. They can be installed in someone’s computer without the user taking action, and can run undetected for long periods of time. They also can collect more personal information than typical phishing scams, Brooks said. Malware and crimeware come in several forms and can steal personal information in several ways, including by logging keystrokes.
The software often is installed when a spam e-mail lures a user to a Web site. The site may not ask for the person to enter any information – as traditional phishing Web sites do – but just by accessing the site, the software is automatically installed in the user’s computer.
‘Hard Costs’
But it is not just bank customers who are targets, according to Brooks.
Last year a fraudster got a list containing the e-mail addresses of executives of a financial institution. The phisher crafted an e-mail about rates that many of them answered, but it downloaded software that spied on the executives and recorded their log-in names and passwords.
“Think of the information an attacker could access if they could log on as the CEO of a small credit union,” Brooks said.
Another more effective form of phishing is puddle phishing, which targets regional banks. The phisher looks at the top three or four Internet service providers in a given area and sends messages to those e-mail addresses, which makes it more likely they will hit more actual customers of the targeted bank.
“You have a much higher success rate,” Brooks said.
Spear phishing is another type of attack, which is even more targeted than puddle phishing. The phisher will typically target a credit union for a university or specific company. Then, by e-mailing people who use the university’s or company’s e-mail system, it is likely the phisher will reach a large number of customers.
In the near future, Brooks said, he expects to see more sophisticated, automated and easy-to-use crimeware and malware.
Even now, it is easy to get. There was a Web site hosted in Eastern Europe that sold the software, and even had technical support, Brooks said. It has been shut down, but more could pop up.
“This is not going away anytime soon,” Brooks said.
And the impact to banks is not small. There are many costs associated with such an attack.
“There are some true hard costs,” Brooks said.
An attack can cost $50 to $60 per account compromised, and it can take 160 hours for a bank’s information technology staff to disable the phishing site. There also can be damage to the institution’s corporate reputation, and an attack can spur distrust of online applications in customers.
Studies have shown that phishing concerns have caused 26 percent of online customers to not apply for a financial product. Fourteen percent have said they will stop using online banking and bill pay, and 58 percent of Americans who shop or pay bills online are “very concerned” about phishing.
There are steps banks can take to prepare for phishing attacks, however. First, institutions should establish ownership and accountability of the problem, Brooks said. Customers and employees should be educated about phishing, and there should be an easy way for customers who notice something suspicious to report it to the bank. Banks should conduct an audit and inventory of online assets and educate themselves to stay ahead of fraud trends. They also should build a network of contacts in the legal, government and Internet service provider communities.
“Have a layered approach to security,” Brooks said. “The harder you make it, the less likely you’ll be susceptible to a phishing attack.”
There also should be procedures in place for when phishing attacks occur.
“Speed to action is extremely important,” he said.
First, the bank should initiate the takedown of the phishing site by contacting the Internet service provider that hosts it. Then, Brooks said, the bank needs to have a way to notify customers, and should contact law enforcement to try to find the phisher.
