It used to be that so-called “phishers” only focused on large international financial institutions -- such as Barclays Bank or Citibank -- when sending out fraudulent e-mails that tried to imitate the look and feel of correspondence from those firms in order to scam customers. But now law enforcement authorities warn that phishers are invoking the names of local banks and smaller financial firms in their e-mail scams.
Phishing is a scam that attempts to lure recipients of the phony e-mails into going to a fake Web site and keying in account or password data -- information which then becomes the basis for identity theft. There were 255,000 reports of identity theft in the U.S. last year, according to the U.S. Federal Trade Commission, and phishing scams were a leading cause.
But the recipient isn't the only one vulnerable in these scams -- the business' brand and reputation is also harmed. That's why business leaders need to be aware of the growing threat from phishing and the need to take steps if their firms become targets, such as notifying authorities and warning customers.
What is Phishing?
Phishing is a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials, according to the Anti-Phishing Working Group (APWG), an industry and law enforcement association dedicated to combating phishing. While immediate concern is often focused on the individual receiving the spoofed e-mail claiming to be a legitimate request for personal information, targeted companies are affected in a number of ways.
Who are the Targets?
Damaged caused by phishers makes consumers wary of an otherwise respected brand. Financial institutions including Barclays Bank -- which McAfee, the security software maker, refers to as BarcPhish -- are the most prevalent phishing targets. PayPal and eBay are also heavily hit. Security firm SophosLabs estimates that over 75 percent of all phishing e-mail targets PayPal and eBay users, coaxing recipients to log into their accounts on a hijacked site where scammers can grab account info and other personal data.
More, recently, however, the APWG has been tracking phishing attempts invoking the names of smaller financial institutions, such as Sky Financial and LaSalle Bank. The number of hijacked brands is on the rise, according to the APWG. In July, there were 154 brands targeted, up from 130 the previous month. The number of new phishing sites also increased to 14,191 from 10,047 in June, the group says.
To put the threat to your business in perspective, phishing accounts for less than 0.3 percent of all e-mails sent, according to Kaspersky Lab.
What Can a Company Do?
Halting fraudulent e-mails is a challenge yet to be solved. Many companies that become targets focus on educating customers on how to look for warning signs. They also notify customers about what types of messages they should and shouldn't expect to receive from the institution. One of the easiest steps a company can take to combat phishing is by posting a statement on the company website to notify customers that phishing e-mails are being sent illegally and to advise them what type of legitimate correspondence the company sends. Some companies make it a policy to only communicate with customers through paper mail, instead of e-mail and others say they never e-mail to ask a customer to input bank account and password information.
Education in-house also helps reinforce safety. Visiting sites set up by phishers can often install keyloggers and other malicious programs to unknowing users. Having programs reside on office, or home computers can spread threats from personal identity -- which is serious in itself -- to corporate data breaches.
Even if they haven't yet been targeted, some financial firms may want to warn customers about phishing red flags, such as e-mails with links to sites that ask for highly detailed information. On the surface, these e-mails to businesses and individuals often look convincing, use official sounding descriptions, logos from actual companies or banks, and a convenient link to help you get sort out a problem or address another concern.
“Is somebody asking me to confirm my account detail including username, password and credit card info?” asks Shane Coursen, Kaspersky Lab, senior technical consultant. “If so, this is the first and most obvious sign that the e-mail is a fraud.”
Companies should tell their customers that, Instead of replying or clicking on the link, the best thing to do is to forward the e-mail to the company. Most importantly, tell them not to click on any link.