Spam Slayer: Fear of Phishing Hurts Banks

Do you trust e-mail that claims to be from your bank?

That's a tricky question for a lot of us who are inundated with suspicious e-mail from senders that claim to be Citibank, PayPal, or a financial institution we have never heard of.

It turns out more than half of us are deleting messages from banks and financial institutions without even thinking twice. Experts say recipients who receive these e-mails believe that all the messages are part of phishing e-mail scams.

Phishing messages look like they come from a trusted company, but are actually from identity thieves. Phishers attempt to trick e-mail recipients into clicking on a link, going to a Web page, and providing personal information at a site that pretends to be genuine.

Even the federal government has taken notice of the potential for security breaches. Last week federal regulators announced new rules requiring banks to better protect their online customers from fraud. By the end of 2006 bank sites will have to adopt a "two-factor" authentication process. In a letter sent to banks, the Federal Financial Institutions Examination Council said banks must go beyond just requiring name, account number, and password.

A two-factor authentication system might include biometric devices or smart cards that would deny access to online accounts without some type of physical card or USB token that can be plugged into a PC.

Less costly would be two-factor authentication like that being developed by PassMark Security, which has developed an authentication system that prompts users to answer questions with predetermined secret answers.

For banks, consumer reluctance to trust e-mail from financial institutions is a double-edged sword: On one hand, banks are pleased that their customers are savvy enough not to fork over account information to a fake site. Consider the cost when they do: In 2003 phishing scams cost banks and credit-card companies $1.2 billion, according to market research firm Gartner. On the other hand, banks are suffering because of this lack of consumer trust.

Credibility Crisis

A research report from Javelin Strategy and Research says the first impulse of 55 percent of those who receive an e-mail purporting to be from their bank and asking them to log into their account is to delete the message without blinking an eye.

In another survey, 28 percent of consumers said online attacks influence their online banking activity, Gartner reports. The survey found that 14 percent of this group has stopped paying bills online as a consequence and an additional 4 percent stopped all online banking activity.

The more jaded we become, the more financial institutions stand to lose. Gartner estimates that companies save about 45 cents every time they send an account statement electronically instead of by mail. A bank that mails account statements on paper to 1 million customers could save $450,000 monthly if it sent electronic statements instead.

Personally, I don't trust any e-mail that contains a link to any of my accounts. Just clicking on a link in an e-mail can get you in trouble; phishing e-mails can be used as lures to get you to visit Web sites that secretly download malicious programs.

For this reason, I advise against clicking links in suspicious messages. Instead, just type the URL of the page you want to go to in your browser's address bar, or go to the site's home page and then navigate to the page in question.

Don't get me wrong: I am not a neophyte. I check and manage nearly all my bank and credit cards over the Internet. But when I get an apparently legitimate e-mail that asks me to take action, I call my credit-card company or bank and communicate with them directly.

Call me paranoid; I don't care. But the sad reality is that phishing e-mails have all made us paranoid.

Too Paranoid?

Here is a case in point. When the Wachovia bank sent out an e-mail inviting its customers to go to a new log-in page as a result of its merger with First Union, it got an earful. Wachovia's call center was swamped with calls from message recipients, alerting the bank that criminals were attempting to steal customers' financial information through a bogus link.

Another snafu occurred when EarthLink mistakenly told some of its users that a bank's Web site was a phishing site. Through its free ScamBlocker toolbar, EarthLink warned customers who tried to visit AssociatedBank.com that the site was "potentially fraudulent." EarthLink advised its users to "not continue to this potentially risky site."

The owner of the site, Associated Banc-Corp, was furious and sued EarthLink in a U.S. District Court in Wisconsin. Associated Banc-Corp argued that EarthLink's negligence had injured its business reputation. EarthLink said it had licensed the list of phishing Web sites used by the ScamBlocker toolbar from a third party, and therefore shouldn't be held responsible. Last month U.S. District Judge John Shabaz agreed with EarthLink's position and dismissed Associated Bank's lawsuit.

Taking Action

A growing number of financial institutions are determined to win our confidence and stop phishers. The problem is that, through their antiphishing public education programs, banks have made the public leery of online banking, says Amir Orad, executive vice president for marketing at the antifraud and consulting firm Cyota. That's why banks are now focusing on ways to go after the bad guys.

One of the ways is to proactively seek phishing e-mails and shut the sites down that they link to. Cyota scans 1.4 billion e-mails a day looking for phishing lures. When it finds one, it works with law enforcement and with ISPs to shut down access to the site.

Another way is to make it harder for phishers to fake messages from banks. To this end, Bank of America is testing a technology from PassMark Security called SiteKey. The technology requires Bank of America's online customers to choose one of a thousand digital images from a library. They are also asked to create a short phrase. Those phrases appear in the subject line of e-mail messages; the images are used in the body of the messages. All this is meant to reassure customers the e-mail is legitimate. If the test is successful, Bank of America plans to roll out it nationwide later this year.

Other banks try to win customer confidence by including each one's first and last name in the subject line of their e-mail messages. Still other banks like Wachovia are testing a system in which customers get e-mail alerting them that a message is waiting for them in their Wachovia mailbox. The e-mail message doesn't include any links, so customers have to visit the Web site and log on to read their messages.

All this makes me wonder how much inconvenience consumers will put up with to take advantage of online banking.

Morphing Scams

The advent of more secure customer authentication is having a predictable impact: Phishers are now moving away from large financial institutions that use such antifraud technology and targeting smaller banks that don't.

Cyota has seen a 633 percent increase in the number of attacks against smaller banks since the beginning of 2005. Cyota also is seeing an increase in personalized phishing attacks that use stolen data like a name or the last four digits of a credit card. The use of such personal information in a phishing message gives it the appearance of credibility.

Another way phishers and spammers collect your personal information is through a technique called hostile profiling, which I outlined in my May column.

Experts I spoke with say it's too early to tell whether the good guys are stopping the fraudsters or the bad guys are succeeding at ripping more of us off. "The fraudsters are always raising the bar, making our job harder," Cyota's Orad says.

Andrew Dresner, a vice president at First Manhattan Consulting Group, told me he thinks online banking is just too convenient to be slowed down by phishing attacks. "Once people become more acquainted with online banking they are more likely to spot fraud," Dresner says.

The Javelin Strategy and Research study found that for every customer that refused to bank online out of security concerns, three online banking customers increased their usage of online accounts.

So what's your personal policy when it comes to phishy e-mails? I suggest that a healthy dose of skepticism will go a long way when evaluating any e-mail tied to personal information.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon