As the editor of an online journal, my easily accessible email address is the target of every sales, promo, porno, and solicitation that a scammer can think up. Most of these are captured in a scammer program and quickly deleted. More deceptive, and a concern to all of us doing business online, is the phenomenom of phishing. I was so convinced recently that a major bank needed information from me that I had to think through all of my financial transactions before realizing I was not their customer.
It has been estimated that last year phishing cost the financial services industry $1.2 billion, with banks and credit card issuers being the most heavily hit. Phishing[1] is an email scam designed to get the consumer to give up private information such as bank account numbers, credit card numbers, Social Security numbers, or any other information that will help scammers to steal the email recipient’s identity. Anyone with an email address has most likely been phished.
The ease of using the Internet makes it easy to create legitimate-looking email requests for information. Scams have progressed from the days when a fraudulent plea came in a poorly written email from the Sierra Leone Ministry of Banking Affairs asking for your help in clearing the funds from a bank account sitting idle that belonged to a family killed in an automobile accident without any heirs. With the ease of downloading images, copying the transaction wording of a reputable company, formatting a page to duplicate an authentic business website, then setting up a system to capture all that private, confidential information, it is increasingly difficult for anyone to distinguish the real thing from the fakes.
The problem is growing at an alarming rate. The Anti-Phishing Work Group[2] reports a 28% increase in phishing from July to November 2004.[3] A simple Google search on “phishing” came back with 2.5 million links. One of the articles was an FTC Consumer Alert from the Federal Trade Commission titled “How Not to Get Hooked by a ‘Phishing’ Scam.”[4] A new tool to combat phishing is the Internet Explorer plug-in from Netcraft,[5] which it is hoped will help people avoid becoming victims of online fraud. The Anti-Phishing Work Group website includes lists of the most recent online scams, the names of companies fraudulently used, and information about protecting businesses and consumers. Fortunately, we have people working on solutions; unfortunately, by the time this scam has been curtailed, a new one will have evolved.
The ease of doing business online for both customers and companies is at risk as the fear of becoming a victim grows.[6] Legitimate email requests are now either ignored or deleted because the consumer is afraid to trust the source. An article in CIO.com offers a few suggestions to businesses for combating phishing,[7] including educating your customers about the problem and about how they can tell the difference between your legitimate business and a scam.
Most Internet experts seem to agree that scamming on the Internet is not going away, rather it will take unimagineable creative forms in this new communication medium. It is imperative for companies doing business online to be aware of current fraudulent schemes and to be proactive in combating them with appropriate security measures. Companies must be responsive to the concerns and insecurities of customers by developing additional levels of online security and creating electronic avenues for their customers to verify that these safeguards are in place and that their online transactions are indeed legitimate—not the Sierra Leone Minister of Banking under a new guise.
If you have any phishing stories at your company to share, we would like to hear from you.
[1] http://www.webopedia.com/TERM/p/phishing.html
[2] http://www.antiphishing.org/
[3] http://www.antiphishing.org/APWG%20Phishing%20Activity%20Report%20-%20November%202004.pdf
[4] http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm
[5] http://news.com.com/2100-1029_3-5507644.html
[6] http://www.msnbc.msn.com/id/4741306/
[7] http://www.cio.com/archive/090104/phish.html
