April 15, 2004
How To

Phishing Email Fraud Attacks Up 50% - Protect Your Brand

SUMMARY: Wednesday morning March 31st, we opened our editorial email boxes to find this fraud from FleetBank:



At 11:30 PM EST Our company had to block some accounts in our system connected with money laundering, credit card fraud, terrorism and check fraud activity. The information in regards to those accounts has been passed to our correspondent banks, local, federal and international authorities. Due to our extensive database operations some accounts may have been changed. We are asking our customers to check their checking and savings accounts if they are active or if their current balance is correct. Fleet bank notifies all it's customers in cases of high fraud or criminal activity and asks you to check your account's balances. If you suspect or have found any fraud activity on your account please let us know by logging in at the link below.



Alarmed, we surfed to Fleet's main site to get their PR contact so we could write a story telling merchants relying on recurring billing that they might have a problem with Fleet accounts...



... then we saw Fleet's home page announcement that the alarming email was itself a fraud. Oh.



Here's a useful article on how the booming email fraud known as phishing may affect your company, and what you can do about it:
Although your Web site may be ultra-secure to protect your customers' credit card data and other personal financial information, your biggest threat can come from a criminal who won't even try to hack your database.

He doesn't have to. He can just get your customers to hand over that information by impersonating your brand in bogus emails. (Link to samples below.)

The scam is called "phishing," and it's the fastest-growing type of Internet fraud. This February a reported 282 phishing campaigns were sent to millions of consumers -- a 50% increase from January. And, judging by our in-boxes, the trend's continuing to grow.

Major online brands such as eBay (the No. 1 target), AOL and EarthLink, along with financial institutions and government agencies are the main targets; but, the scam can also affect any household-name brand that stores personal information for a subscriber, client or customer base on its Web site.

How to keep your customers and your brand as safe as possible?

Develop a rapid-response, multi-channel strategy to minimize the damage, both to your customers and to your own brand. (Keep reading to see what eBay does to help users thwart identity-theft attempts.)

You don't have to wait for an anonymous scammer living halfway around the world to find you, either. A disgruntled employee with access to a recent subscriber or customer list can do as much damage -- maybe more.

The more your customers love and trust you, the more likely they might believe an official-looking email asking them to re-enter or verify credit-card and bank accounts, passwords, even Social Security numbers at a Web site that looks a lot like yours.

The good news is that a whole anti-phishing movement has sprung up since the first scams surfaced in early 2003. ISPs, Internet companies and the U.S. government are mobilizing an all-out attack on several fronts, including education, technology and shared information.

Advanced email technology that verifies a sender's identity will probably be the only reliable way to thwart phishing. Until it becomes an industry standard, education and awareness are your best weapons.

Baiting the Hook

Phishers get their victim lists the way spammers do: buying, harvesting or stealing millions of email addresses. Somewhere in those millions are lots of people who pay AOL or EarthLink to host their Internet access, buy and sell on eBay, or have a Fleet or Citibank credit card.

Then, they get a domain name that's one or two characters off from a legitimate one. They lift logos and create a Web site that looks just like the real one, and send out authentic-looking emails, in text or HTML, warning users to verify information or risk losing a service.

Early sites and emails were pretty crude renditions. Today, many are almost undetectable. Typos can still give it away; one recent email's subject line said, "Citibiank ONLINE Veerification."

As with spamming, just a few responses can give a phisher all the information he needs to deplete bank accounts and ruin credit and lives.

Are You Getting Phished?

Most companies find out when a customer or subscriber calls about a suspicious email or if one goes to special email addresses set up to catch spam and viruses.

If it happens to you -- better yet, before it happens -- you must act fast. Post a message on your Web site, contact the ISPs involved and federal law enforcement (number below) and alert all customer-contact people.

What you shouldn't do: Send out an email message to your house list warning people not to respond to emails asking for sensitive personal information.

"Unless an email is digitally signed, your customers have no way of knowing that the email message was not spoofed or forged," said Dan Maier of the Anti-Phishing Work Group, an industry group working to educate email users on phishing scams and to develop effective countermeasures.

eBay's Answer: Education, Technology

The Internet's top auction site is a juicy phishing target, attracting 104 of the 282 attacks reported in February 2004.

It also has developed one of the most comprehensive defenses against phishing (or "spoofing," another term for the scam and the one eBay uses), using both real-world and online channels to warn and educate users ("community members"), working with law enforcement to catch scammers and making it easy to report suspected spoof emails.

When a community member reports a spoof, the company investigates it, works with the corresponding ISP to get the site shut down, and adds the site to an internal blacklist. It also has worked with federal law enforcement, most recently in a Secret Service case involving Romanian spammers.

Last fall, the company opened a comprehensive online security center, which includes a tutorial on spotting and reporting suspect email and Web sites.

It also recently launched its new eBay Toolbar (PC only), which flashes red when a user wanders onto a blacklisted Web site and prompts a pop-up box if the user is about to enter an eBay password on a non-eBay site.

In-person "eBay University" seminars also include anti-spoofing information.

"We see more and more people sending in emails that are spoofs, which is a good sign," eBay representative Hani Durzy said. "We're seeing more discussion on our chat boards, where members will educate each other. They'll post copies of emails and ask if they're legitimate. There's a real sense of community vigilance."

Five Steps to Fight Back

Set up a pre-emptive strike force with at least one rep from IT, corporate communications, Web site design, customer service, and the email team. You'll need to develop a policy or procedures for tracking and dealing with spoofs or phishing attacks, before your need it.

This list of tactics is based on what other companies have used to battle phishing attacks:

1. Post a prominent notice at your Web site, warning recipients not to respond to suspicious emails or click on links. Some sites use pop-up boxes with a warning, a link to a reporting site and instructions.

2. Set up a dedicated, easy-to-remember email address where recipients can sent suspect emails. Include that address on billing statements or other paper communications so that customers can trust it comes from you and not a scammer. Tell people how to report emails with full Internet headers so that you can trace the email as closely as possible, even though some of the information probably is forged.

3. Notify your IT staff to begin the investigation, and alert your email broadcast vendor, the sending ISP and the site host, to try to get the scammer's site shut down.

4. Train all call-center and customer-contact people in what to tell callers who report suspect email and how to pass it on for investigation. Or, designate one or two people in your organization to handle all calls and media questions.

5. In the United States, report the scam to the Internet Fraud Complaint Center (link to site below). This is a joint agency of the Federal Bureau of Investigation and the National White Collar Crime Center, or report it online.

Useful links related to this article:

1. Samples of a phishing email to defraud FleetBank customers, sent March 30th, plus Fleet's excellent on-site warnings to customers:
http://www.marketingsherpa.com/fleet/ad.html

2. eBay's Security Center spoof tutorial:
http://pages.ebay.com/education/spooftutorial/

3. Anti-Phishing Working Group (free basic membership; participation membership starts at $250). Whitepapers, reports, latest news, statistics:
http://www.antiphishing.org/

4. Internet Fraud Complaint Center
http://www1.ifccfbi.gov/index.asp


~~~~~~~~~~~

Improve Your Marketing

Join our thousands of weekly case study readers.

Enter your email below to receive MarketingSherpa news, updates, and promotions:

Note: Already a subscriber? Want to add a subscription?
Click Here to Manage Subscriptions