June 15, 2004

"Phishing" -- the act of using counterfeit e-mails to lure individuals into divulging personal information -- poses a major problem for thousands of financial institutions. It has the potential to exploit the personal information of millions of customers, while wreaking havoc on the systems at these banks, and damaging their reputations in the process.

Thus far in 2004, more than 2,000 phishing attacks have been made against financial institutions, as well as against Internet service Providers (ISPs), retailers and others. Until now, the banks that have been hit by phishing schemes have tended to be larger, global firms that are household names. Still, every bank must be alert to these attacks, as it is very likely that these schemes will flow naturally down the market, in due time.

The magnitude of a phishing attack depends greatly upon a bank's ability to detect and thwart the fraud quickly. The sooner it is detected and dealt with, the lesser the chance for significant damage. Fortunately, financial institutions have an array of tactics to fight phishing at their disposal. While some can be developed and executed internally, others call for the resources of third-party providers. Possibilities include:

Training call center employees.

If a breach does occur, the best line of defense for a financial institution will be its call centers, as they will be the first to field inquiries related to phishing scams. Call center employees, as well as other customer service representatives, must be educated properly to recognize the signs of a phishing scam. For banks with large call centers, the ability to pool complaints and recognize patterns is vital to detecting the fraud early, and limiting further damage. These employees must also know how to deal with phishing attacks once they happen, and effectively communicate plans of action to concerned consumers who have fallen for the trap.

Using "modified honeypots."

Because phishing schemes happen fast, it may be most helpful to set up a detection system that makes use of e-mail. In this case, a "modified honeypot" may be the most efficient means. E-mail accounts can be set up with several commonly used ISPs, such as AOL, Hotmail, Yahoo, etc., in hopes of catching phishing schemes. Once these accounts are established, they may be monitored for emails resembling phishing schemes.

Employing better e-mail authentication methods.

Banks may choose to authenticate their e-mails to offer customers the assurance that an email sent from the bank is, indeed, legitimate. They may be using digital signatures or secret passwords or codes to do so. While the industry has established a secure messaging standard to enable digital signatures (i.e., S/ MIME), adoption of this standard has been slow. Another cause for concern is that some criminals have been using JavaScript to fake the presence of a legitimate digital certificate online by inputting a false padlock icon. The alternative? Secret passwords that utilize secure cookies as a way of recognizing customers and displaying the appropriate message indicating that the customer has a direct connection to the bank.

Establishing strict communication protocols.

In notices to consumers, many financial institutions state that they will never request personal information. However, some of these same financial institutions have been creating confusion by doing just that " they have later sent e-mails requesting personal information. Therefore, financial institutions must take care in their wording and avoid sending contradictory messages. Financial institutions that simply include a convenient "log-in" link in their marketing e-mails should take care, as those e-mails may be easily copied and used for phishing purposes. Therefore, the convenience is unlikely to justify the risk.

Searching for domain abuse.

URLs can be monitored to detect phishing or other problems, such as copyright or trademark abuses. Such abuses can indicate phishing schemes and measures can then be taken to avert the attack. Unfortunately, this will prove less of a defense as time goes on. Since phishing schemes take so little time to create, deploy and complete, financial institutions need to be quick to act and cannot rely solely upon discovering a false e-mail or Web site.

Safeguarding customer information. Unfortunately, many customers do not protect their own personal information as well as they should. They often choose IDs or PINs that are too common, and also unknowingly give them away to criminals. As an additional protection, banks may want to ask the customer some type of unique question, the answer to which only the customer will know. Given the slow progression toward digital certificates, smart cards and biometrics, firms are beginning to use this question-based authentication as an alternative.

Monitoring accounts.

As with many frauds, one of the best defenses a bank can take is constant vigilance. Keeping close watch on account activity can enable a firm to spot irregularities, and notify customers immediately.

Which strategy is best for a particular bank? Most likely the answer is an appropriate combination of tactics that will largely be determined by the bank's perceived level of vulnerability, its technological resources, its customer service capabilities and its budgetary constraints. The vast majority of banks are expected to take immediate action to prevent or diminish the effects of phishing as best they can. While many smaller banks are likely to educate their customers through the use of online warnings or notices in written statements, larger, better-known banks are likely to deploy monitoring technologies, in addition to educational measures.

Sadly, phishing is just one variety of frauds that is threatening the financial services industry right now. Tomorrow will likely bring a brand new scheme. For this reason, financial institutions would be wise to deploy methods that will not only tackle the fraud of the moment but use methods such as account monitoring and increased education that will be effective with other fraudulent schemes as they occur down the road.

Ariana-Michele Moore is an analyst in the banking group at Celent Communications, a financial services technology research firm based in Boston. She can be reached at amoore@celent.com.