News Articles

Mississippi Banker - Financial Institutions Must Block Phishing Attacks, Build Customer Loyalty

June 6, 2006
The same computer technologies that provide the financial industry with unprecedented opportunities also bring Phishing, Pharming, Keyloggers, Spyware, and new deceptions that emerge daily. Phishing is an immediate threat to financial institutions because it makes customers wary of using their banks' Web sites for online transactions. In the long term, it can undermine the general public's confidence in online commerce.

Phishing and other scams that use social engineering and technical deception to perpetrate ID theft are now the Internet's biggest scams. Between March 2005 and March 2006, some 2370 separate phishing scams affecting millions of users were reported, and in January 2006, 92% of all Web sites counterfeited were those of financial institutions, according to the Anti-Phishing Working Group. The Federal Trade Commission predicts that in 2006, approximately 9 million people will report being victimized - at a cost of about $56.6 billion. To make matters worse, many Phishing sites host Spyware. While the user's identity is being stolen, his or her computer is being set up for future malicious activities.

The success rate for Phishers is staggering. Phishers can replicate Web sites so well that an estimated 3%-5% of recipients unknowingly furnish Phishers with personal data.

Spear-Phishing, a newer, more efficient means of online identity theft is personal and targeted. Criminals infer institutional affiliations from users' search histories and then send e-mails that appear to come from these institutions. Criminals can also present pop-up windows requesting "information updates" or "validation" when users go to the legitimate institutional Web site. In these cases, loyalty to one's bank or credit union works against both the customer and the institution. The user is deceived into providing criminals with personal identifiers because he or she thinks that the pop-up is connected to the legitimate Web site. This information is then transmitted to unauthorized third parties and used for fraudulent activities. Recipients are much more likely to be fooled by fraudulent sites if they have an affiliation with the institution whose site is being "spoofed." Approximately 19% of recipients respond to Spear-Phishing, one of the most insidious threats to Internet users.

These are disruptive technologies; innovations that have changed the fundamental way in which banks must do business. To be effective, the response must be equally innovative. Yet, the financial industry's responses have been based in sustaining technologies; traditional methods of alerting customers. E-mails, notices, brochures, and information on institutional Web sites all seek either to educate customers about the nature of online fraud or notify customers after an attack has taken place.

Among law enforcement, the judiciary, business, consumer groups and researchers who are engaged in the fight against malicious software, there is disagreement over how to approach this problem. However, all sectors agree that the weak link in the chain is the end-user; the customer. Even experienced Internet users are often unable to determine if a Web site is fraudulent or legitimate.

Why are users fooled by Phishing scams? Three common reasons:

• Security Cues: Most users do not understand, and therefore do not look for indicators of authenticity. These include indicators of a secure site, the proper protocol in the address window and a closed padlock in the browser window indicating that the Web page being viewed was delivered by SSL.
• Typejacking or Typesquatting: Phishers often substitute letters or non-printing characters in legitimate addresses to deceive readers who "see what they want to see." For example, in a common technique an "i" or a "1" is substituted for the "l" in "www.paypal.com". The casual reader sees "www.paypal.com" when presented with ""www.paypa1.com".
• Lack of security focus: When the user is attempting to perform a key task such as a making a bank transaction, a purchase or attending to job-oriented duty, security is often overlooked. This is especially true in a culture that encourages multi-tasking. Perhaps the price of multi-tasking is the inability to focus completely on any one thing at a time. The user who is receiving text messages, paying a bill online and engaged in a chat session is not likely to detect a fraudulent Web site.

iS3, Inc., maker of the award-winning anti-Spyware solution STOPzilla, is giving financial institutions the opportunity to provide the ZILLAbar, its anti-Phishing product, to their customers without cost. The product, which was designed to be co-branded with the institution's logo, typeface and color scheme, works with Microsoft Internet Explorer to block Phishing attacks and other online identity theft scams. Participating financial institutions are being offered revenue-sharing on the purchase of anti-Spyware and ID Theft Protection packages customers purchase as upgrades to the ZILLAbar.

The ZILLAbar's advanced Phishing protection uses multiple technologies to detect known and potential Phishing sites. The URLs of the latest known Phishing sites are downloaded from multiple databases as often as every thirty minutes, and included in the ZILLAbar updates. In addition, the ZILLAbar uses heuristics -analysis of behavior and content- to determine the likelihood that a particular site is UNSAFE. Its unique Anti-Phishing Scoring Engine is a mathematical rules engine that subjects the Web content in the user's browser to a set of sequential evaluations intended to identify fraudulent sites. If the score reaches the threshold level, a Phishing Alert indicates that the site is potentially malicious. With the ZILLAbar, customers become empowered in the war against online fraud.

The future of computer security lies in smart technology, taking a predictive rather than reactive approach. iS3 is a pioneer in this arena. Rather than relying upon scanning, examining each file and attempting to match it with a known malicious signature, iS3 products also look for programs that monitor keystrokes, connect to unusual ports, or try to hide and make registry changes. Malicious attacks are detected and stopped in real time, before they can do any damage to the user's computer or capture sensitive information.

The disturbing trend in online fraud is toward exfiltration; more targeted attacks of increasing sophistication aimed heavily at smaller local banks and credit unions. We must be prepared to block and counter these attacks with increasingly aggressive strategies. The question is no longer whether you will be a target of online fraud, but when and how you will respond to the attack.