Evidence that the Internet's killer app is seriously ill can be seen in the frantic efforts to resuscitate it. The past two weeks have witnessed a flurry of activity aimed at restoring trust in e-mail as a business-consumer communication tool that has been eroded by spam and e-mail-related online fraud.
How worrisome have the problems become to businesses? Bad enough that MasterCard International last week said it has created a system for round-the-clock monitoring to inform 25,000 financial-institution members worldwide within four hours of when such a scam starts. Bad enough that fierce rivals in the e-mail business -- America Online, EarthLink, Microsoft and Yahoo -- agreed last week to support each other's e-mail-authentication standards. It's also prompting a consortium of the 100 largest financial institutions to develop a common database to share reports of attacks and responses, and forcing some banks to reconsider how they use e-mail to communicate with customers.
MasterCard is using digital fraud-detection technology from NameProtect as part of a more-proactive approach to online fraud that lets the company detect scams as they unfold and work with police to block them before losses occur. "We're concerned that somebody step up to the plate because consumer confidence is at stake," says Sergio Pinon, senior VP of MasterCard's global security and risk services.
Research firm Gartner estimates that 57 million Americans in the past year received phishing e-mails -- messages sent to lure people to phony Web sites asking for financial information. During a two-week period in December, 60 million phishing messages were sent, according to the Anti-Phishing Working Group, of which both MasterCard and NameProtect are members. Identity theft is the endgame for many phishing schemes and has been the No. 1 consumer complaint to the Federal Trade Commission in the past four years. Gartner estimates that phishing-related fraud cost banks and credit-card companies about $1.2 billion in direct losses in the past 12 months.
Companies are starting to work together, rather than just write off online fraud as a cost of doing business, because technology has made fraud such as identity theft increasingly scalable, says Elazar Katz, director of the active risk-monitoring practice at IT services company Unisys. "Now you can easily multiply it over thousands of accounts," he says.
Last week brought more proof of that potential. A former AOL computer engineer was arrested on federal conspiracy charges for allegedly stealing some 92 million AOL screen names and selling them to a Las Vegas list broker, who also was arrested. The broker is accused of selling the names for $52,000, as well as using them to promote his own Internet gambling operation.
While the problems of phishing and e-mail scams have been around a while, fraudulent e-mail became particularly acute for MasterCard in November and has gotten steadily worse, Pinon says. That's also when BITS, a financial-industry consortium, formed its eScams Subcommittee to address phishing. It's creating a Phishing Prevention and Investigation Network to provide members with information and resources to fight phishing and spoofing and to report them to law-enforcement agencies, foreign governments and Internet service providers. The network also will provide data on trends to help law enforcement build cases and shut down identity theft operations.
Ann Mele, manager of corporate fraud and forensics at PNC Financial Services Group and a member of the BITS anti-phishing subcommittee, says no clear strategy has emerged to combat the risk of a bank or its customers becoming phishing victims. So banks are treating it as another -- if potentially more virulent form -- of identify theft, which they've been battling for years.
Phishing scams have caused another BITS member to re-evaluate its customer communication. The major U.S. bank is considering providing notice before starting an e-mail campaign, such as sending printed messages stuffed in statements or through a more-secure electronic channel. The bank is "very cautious in how we communicate to customers via e-mail in particular," says a bank executive via e-mail. "Nevertheless, e-mail is still a preferred method of communications. We still do use it, and we use e-mail vendors still as well." Other groups also are tackling the issue. The Trusted Electronic Commerce Forum, which includes companies such as Fidelity Investments and Best Buy, is developing technologies and tactics to combat phishing and identity theft. The Anti-Spam Technical Alliance -- a group founded in 2003 and comprised of AOL, British Telecom, Comcast, EarthLink, Microsoft and Yahoo -- recently proposed actions and policies for e-mail service providers and large senders of e-mail. And Visa USA joined with the FTC and others this month in an anti-phishing education campaign.
Yet these efforts face a huge challenge. Phishing messages and scam sites don't have to be around for long to do damage, says Pavni Diwanji, CEO and founder of anti-spam vendor MailFrontier. Often, she says, scammers take their phishing sites down after only a few hours, since they can bring in credit-card information in a matter of minutes. There's also the opposite problem: It's not always easy to shut down a fraudulent Web site, especially if it's in a country where the United States or the European Union doesn't have a lot of pull, Gartner VP and research director Avivah Litan says. "Once you catch them, you can't necessarily stop them," she says. "It's like trying to catch a cockroach."
MasterCard's Pinon acknowledges the challenges of keeping ahead of the crooks, saying it takes just eight days from the establishment of a Web address to the time a phishing attack can be launched using that address. "In order for this to be effective, we have to be able to monitor online phishing attacks, trading of account numbers, identity theft, and so on, on a 24-by-7 basis," he said during a conference call about the effort. NameProtect monitors domain names, Web pages, images, auctions, chat forums, spam, and more to identify online fraud for MasterCard. It provides real-time reports that are accessible through a Web portal. MasterCard uses its electronic MasterCard Alerts service to inform banks.
MasterCard's April-to-June trial of the program didn't lead to specific instances of sites being shut down, but Pinon says information provided to law enforcement led to "several major investigations." Frank Harrill, the FBI's cybercrime supervisor in Los Angeles, says financial institutions and other companies are reporting phishing attacks and online fraud more frequently, leading to more investigations.
So, is e-mail in peril from the growth of fraud and scams? As a general communications medium for people, perhaps not. "If viruses and worms won't stop them, phishing won't," contends Yankee Group analyst Phebe Waterfield. But when it comes to a trusted channel for businesses to reach their consumers, e-mail has clearly developed some dangerously unhealthy habits.