Phishing is quickly becoming the single greatest threat to corporate efforts to serve consumers electronically, and with good reason. Undermining trust in online transactions could set the whole movement back years and negate the efficiency and cost gains that companies have realized.
In May alone there were nearly 1,200 unique phishing attacks, according to an industry association called the Anti-Phishing Working Group (www.antiphishing.org). APWG says it has 400 members, including eight of the top U.S. banks and four of the top five U.S. ISPs.
This association is only one of many groups cropping up to combat this scourge. A few weeks ago IBM and other companies in the financial, retail and technology sectors formed the Trusted Electronic Communications Forum.
There is a sense of urgency because the phishing scams are getting more and more sophisticated. Consider this one targeting Citibank users last week. Some customers got an HTML e-mail from a spoofed address, "Citibank
Then it went on to say that "because user identification on the Internet is difficult, Citibank cannot and does not confirm every user's purported identity. Thus we have established an online verification system to help you evaluate with whom you are dealing. The system is called CitiSafe and it's the most secure Citibank wallet so far. If you are the rightful holder of the account, click the link below, fill (sic) the form and then submit . . ."
Clicking on the link opens the phish site and, according to the APWG, starts a Java script that spoofs the browser address bar so it looks like you're connecting to a legitimate URL.
The APWG labels this "one of the most dangerous phishing schemes so far."
According to Jerry Brady, managed security services chief security officer for VeriSign, advances in phishing schemes are resulting in 3 percent to 5 percent success rates, up from 1 percent to 2 percent a year ago. "These guys have gotten very sophisticated," Brady says. They profile their victims and sometimes survey them, acting like a financial institution and inquiring about what services they want, their net worth and whether they use security tokens.
The best way to fight back today is educating customers and shutting down phishers as fast as possible, but the industry needs stronger authentication methods sooner rather than later. This needs to be a top industry priority.