I hate phishing. Not only has it cost the world's financial institutions tens of millions in fraud losses, it's just about killed the email channel in terms of getting your customer's attention in a timely fashion, and it's diverted management's attention from much-needed online marketing improvements. That's much worse than the actual fraud losses. 

Like most people with widely published email addresses, I get a half-dozen phishing messages every day (note 1). I rarely give them a second look unless they purport to be from my bank. Almost all of them are placed in the junk folder by Outlook, one of the nicer services of Microsoft Office.

Phishers have to be much more creative these days. The time has past when a few paragraphs of broken English and the bank's logo could net the fraudsters a few extra coins. Now I get fake emails asking me to verify my security settings, authorize account changes, or claim a sweepstakes prize.

For example, today I received a fake credit card authorization request from Wells Fargo (see inset). I'm not sure why it prompted a blog entry. Maybe because I use a Wells card or maybe because I've been talking to mobile banking execs about this very subject. But the fake was good enough to force me to take a closer look. The biggest clue is the wrong format for the USD charge, using a "comma" instead of a decimal point between the dollars and sense. But otherwise it's pretty good, and may even net a few card numbers before its taken down.

Analysis
I am optimistic that email can still be effective if financial institutions clearly personalize their messages (see samples here and here). However, gaining customer trust back, especially for security-related messages, is a long-term project. That's why we are telling financial institutions to invest in RSS/XML feeds (Online Banking Report #135/136) and/or mobile banking (Online Banking Report #138/139) in order to reach their customers in a way that is less prone to fraud, at least for now.

Notes:

1. A great online repository of phishing examples is housed at MillerSmiles.co.uk

2. There's a whole book on phishing, click on cover above to go to Amazon's description of the title.

Criminal minds are usually the most fertile. Just how fertile was displayed last week, when a phisher actually advertised for victims on Craigslist, the popular classified ads web site.

The ad, posted at 7:00 AM on April 26, asked Bank of America customers to send the poster their account and telephone numbers, in return for which he or she promised to deposit $1,000 per day into their accounts. The victims were supposed to take 15 percent for themselves, and immediately forward the balance to another Bank of America account. The poster couldn’t do it him/herself, they said, because they were currently in New Zealand.

We stumbled across the ad at 9:00 AM and immediately forwarded it to Craigslist, which removed it within an hour. We also informed Bank of America, which later said it was aware of the scam. Bank of America’s response led to the obvious inference that the scamster had been active earlier, since the ad had been posted on Craigslist for only two hours, but it—and Craigslist—declined to explain the apparent discrepancy in the time line.

The Federal Bureau of Investigation, which likewise declined to respond specifically to the event, said the ad was a new version of the old “freight forwarder” con game, in which the victim is asked to receive payments and forward them and then, after a few successful transactions, is asked to cash a check for more than the usual amount, and refund the balance. If they’re successful, the crook predictably vanishes. The scam also has much in common with the—by now—hoary Nigerian scam, in which someone posing as a Nigerian lawyer or government official emails the mark for help smuggling enormous amounts of money out of that country.

The scam breaks new ground, says Avivah Litan, vice president and research director at Gartner Inc. “I’ve never heard of this—it’s very clever social engineering,” she says. “I doubt that BofA knew about it—they just want to seem like they’re on top of things.”

At a minimum, the scam should get a prize for sheer brass, not to mention minimum effort. Typically, a phishing scam involves a skillfully crafted and apparently genuine email from a bank or popular e-commerce site, and an equally well-designed, fake website in which the unwary enter their account information. In this case, the scamster just posted an ad, hoping to snag one or two victims before the ad was spotted and taken down.

In this case, whether the perpetrator succeeded is unknown, but the Craigslist ad is very similar to similar scams commonly found on job want-ad sites like Monster.com. “The jobs boards are filled with these things, and the FBI is constantly having to trace them back to the sender, but this is the first report I’ve heard about a Craigslist ad,” says Peter Cassidy, secretary general of the Anti-Phishing Working Group.

Cassidy says this is a new wrinkle in the game. “It’s phishing, but not the usual retail phishing, where they’re looking for your banking credentials—it’s definitely a new hybrid,” he says.

And, he adds, he’s unsurprised. “People are putting up things like deceptive software that infect your computer and call it freeware or games. Why should we be surprised that people are putting up deceptive ads in order to phish people?”

For the record, we post the ad below, complete with misspellings.

Reply to: job-154729485@craigslist.org
Date: 2006-04-26, 7:09AM EDT
We´re an e-gold exchanging team. I own a website, and I`m looking for Bank of America customers, as i'm an account holder as well, I´m able to transfer UPFRONT to your account, daily amounts of $1000. All you have to do is withdraw and send to one of our exchangers. Remember that you get to keep 15% for yourself.If you are wondering why I can´t do it myself, it is simply due to my current unavailability; I`m in New Zealand visiting with relatives, and that´s why I´ll need your assistance.

As I am going to send upfront, I´ll need some things, such as:

- You must own this account for at least 3 months (I call to verify)
- You must suply a land line phone #
- You must be from USA and you´re not allowed to use a third party.
- The amounts should be sent within 24 hours, delays will not be tolerated.

You may also be wondering:

- What information do you need to transfer the amount into my account!?

I´ll need only the following information: Account holder #, last name and zip code, ONLY

- Is there any possibility of having my account hijacked with performing such activity!?
Absolutely not, it´s a typical transaction between bank of america accounts, and you can make sure about that calling up bank of america customer service with these questions, or simply using your bank online referring to transfer and if you notice, they will require the information I previously requested to.

a.. Compensation: You´ll receive 15% from all amounts. Up to 65k annually, your weekly share will be $1800.
54729485
------------------------------------------------------------------------------
(Contact: Craigslist, 415-566-6394; Bank of America, 415-622-6367; Federal Bureau of investigation, 202-324-3000;Gartner Inc., Avivah Litan, 301-610-7482; Anti-Phishing Working Group, Peter Cassidy, 617-491-2952)

If you are a smaller bank or credit union and are phished for the first time, you might consider the approach Everbank took in response to a phishing incident today.

The bank took the unusual step of sending an email to its customers warning them about the fraudulent email (click on the screenshot below for a closeup). They even included a copy of the phishing message at the bottom of the warning. The bank also posted a small red-outlined box on its homepage (see inset) with a link to the same email message.

Analysis
Although it may seem futile to send an email warning about a fake email, we think it's a good idea if the phishing episodes are infrequent. The big targets such as Citibank or PayPal can't do this, not with dozens of attacks every month; however, smaller companies should consider proactive email communications, but no more than a few times per year, otherwise customers won't pay any attention.

Most users will realize the Everbank response is genuine, because it doesn't ask for any customer information, especially when they compare it to the fake message at the bottom of the screen.

Yes, some customers will be even more confused. But hopefully their calls to customer service will provide you with a chance to put them at ease. There are costs associated with these anti-fraud efforts, but that's part of the trust involved in being in the banking business.

--JB

We've warned against using too many scare tactics on your website (see OBR 119, Marketing Security). Here's data to support that argument.

The latest Pew Internet Project survey (PDF) found that more than 70% of Internet users had either never heard of the term Internet phishing (15%) or were unsure of its meaning (55%), leaving just 29% who said they had, "a pretty good idea of what the term meant." In comparison, 88% of Internet users had a pretty good idea of what Spam meant, 78% knew Firewall and also Spyware, while 68% understood Internet cookies, and even 52% knew Adware.

--JB

We’ve been a proponent of increasing your presence on the desktop through browser toolbars, pushed content, and other means . We were looking at it from a usability and marketing standpoint. It turns out there’s another use, as a security enhancement.

Leave it to eBay to come up with the first proactive anti-phishing system. Ebay toolbar users received the Account Guard upgrade in February. It has two functions. First, whenever a user visits a valid eBay URL, the background color of the account-alert section of the toolbar changes to green. It’s a subtle but effective technique – quite noticeable when a spot on the top browser controls suddenly changes color, and much more effective than a locked or unlocked padlock in the lower corner. Second, an optional feature launches an alert box whenever you type your eBay username into a non-eBay URL.

It’s not a foolproof system. It only protects against browser-based phishing. It wouldn’t guard against phishing attacks that ask users to update their account within the body of a phony HTML email. We’ve also heard that it’s possible to spoof the toolbar itself, pasting a phony one at the top of a fake browser.                            

In part 1 we concluded that the combination of fraudulent emails, spoofed websites, and identity theft is perhaps the biggest assault on online banking since its invention. This is much worse than previous bouts of bad publicity, such as the dotcom bubble, which served to strengthen the bond traditional financial institutions had with their customers.

This crime wave threatens to undermine customer trust in the new medium just when it was starting to become ubiquitous in many countries. Email spoofs won’t stop customers from logging into your website to check their statement (in fact, it may give them an incentive to do so more often), but it will make users more leery of anything new you try to do, especially when marketed via email.

We think the media attention to the problem is just beginning. In 2004, we expect a mini-backlash against online finance, as customers become frustrated with the perceived lack of security of all things financial. It will blow over in 12 to 18 months as financial institutions do a much better job equipping users with security tools to monitor their own accounts  and as digital signatures or similar email authentication schemes catch on .

Banks need to accelerate consumer understanding and acceptance of online risk with an extensive education plan delivered via website and email. We’ll outline what we think needs to happen over the following two pages.

The latest fake email targeting Citi customers uses
the old contest-winner scam (posted 12/4/03).

Anti-Phishing Plan

 

1.       Personalize all email messages with the user’s first and last name, effectively differentiating it from most SPAM, especially the fraudulent ones.

2.       Send copies of all emails to the user’s secure online banking mailbox (if applicable), so they can verify
the authenticity of bank messages received over the Internet.

3.       Create a form for users to report suspicious emails, spam, and any other online abuse; consider providing an incentive, such as yourbank fraud fighter shirts to the first person that reports each email hoax.

4.       Post an email address for forwarding suspect emails, use autoreply to confirm all submissions, and lay out the next steps the bank will take to minimize damage.

5.       Post a special fraud/lost password hotline telephone number (if possible, different from your regular customer service number).

6.       Post FAQs covering:
* What to do if you receive a suspicious email
* What to do if you’ve inadvertently provided
   personal information to a fraudulent site
* How to report lost or stolen cards, checks,
   laptops, or password/userids
* Links to third-party resources

7.       Post copies of known frauds including the email message and screenshots of any popup windows.

8.       Develop a Security icon for your website that points to the security education area.

9.       Each time a new user signs up for online banking or opt-in email marketing, reply with an anti-phishing message detailing exactly what is and is not sent via email.

10.    Send this same message to all users at least once
per year, more often if you are being targeted by email scammers.

11.    Have a “Know the URL” contest . Users enter the URL in the box to enter the contest.

12.    Sponsor an annual “fraud-fighting” week where you enlist the branches and media to educate against all types of fraud, on and off-line, for example, in South Africa, First National Bank’s recent Card Security Week.

13.    Use full-screen educational messages at login .

14.    Help customers put a permanent button or toolbar in their browser that links to your website .

Copyright 2003 Online Banking Report (ISSN 1095-2829) is published monthly by Financial Insite, Inc., 4739 University Way NE, Suite 1002, Seattle, WA 98105, USA. Phone: +1(206) 517-5021, Fax: +1(206) 524-0351, Email: info@onlinebankingreport.com, Web: onlinebankingreport.com. Subscriptions: US$795 per year worldwide, includes paper and electronic editions. Editor & Founder: Jim Bruene, jim@onlinebankingreport.com; Business Manager: Anita Schultz; anita@onlinebankingreport.com; Sr. Analyst: Margaret Quinn, mq@onlinebankingreport.com; Circulation: Kate Schultz, kate@onlinebankingreport.com; Webmaster: Kelsey Marshall, kelsey@gagedesign.com; Web Database: Claire Powers; Copy Editor: Jennifer Russell; Editorial Board: Bruce Bruene, The Principal Financial Group; Vera Wildauer, Cascade Bancorp. Warning!! Federal copyright law prohibits copying this report. Contact the editor for reprints or electronic rights.

PayPal has long-used this effective technique to communicate important information. After login, users are served a one-time splash screen. This screen, which was displayed after our Dec. 8 login, dealt with phishing.

Recommended Website Approachh

We firmly believe the place to deal with specific security incidents is not on the homepage, but within a defined Security Center reachable through a dedicated link and/or icon located on every page. While we applaud the unprecedented efforts to educate users about phishing threats, prominent homepage warnings go too far . It’s like draping a 12-foot banner across your brick and mortar branch that says, “Be careful, you may be robbed.”

A better approach is to develop a robust Security Area to promote general customer and employee education as well as detailing specific frauds warnings. Citibank has by far the best anti-phishing section we’ve seen .

Even more important, because general website content is not often viewed by online banking customers, are security warnings sent via email and posted in your online banking area (see PayPal above). If you feel you must call attention to the problem on your homepage, use restraint. Citibank recently added an About email fraud link in the lower right navigation area. This strikes us as an appropriate level of emphasis; although Citibank used an in-your-face banner several months ago when the first wave of fake emails hit .          

Generic Visa card phishing attempt circulate Dec. 5 aimed at anyone in the world with a Visa card. Clicking on the link takes you to a spoofed website (source: http://www.anti-phishing.org//).

Sample Educational Email:
Email Safety Tips

Audience: New users of online banking and/or anyone opting in to email messages or statements

From:                 Yourbank Customer Service
To:      Pat Q. Customer

Subject: Email Safety Tips

Thanks for signing up for _______. It’s important for you to be able to recognize an authentic email from Yourbank. Recently, a number of banks have reported crooks sending fake emails that look like they are from the user’s actual bank. These fake emails try to get recipients to reveal usernames/passwords, ATM card number/PIN, or credit card number/expiration date, and so on. Sometimes the emails instruct the recipient to enter the information into the body of the email, while others use popups and fake websites to collect the info.

Although Yourbank customers have not yet been targeted by this scam, you should be on the lookout for fake emails. Here are five rules for safe email banking:

1. All messages from us will be personalized with your first and last name in the body of the message.

2. Never reveal any personal information such as username and password in response to an email request, even if it looks like it’s from us. We will
NEVER ask for personal information via email.

4. When completing any online form, make sure the URL has an https:// in front of it, e.g., our login page is <;https://secure.yourbank.com>. You will also see a locked padlock in the lower portion of the browser window.

5. A copy of each message sent to you over the Internet will be sent to your secure bank inbox, so you can always check there to verify the authenticity of an email from us.

If you receive a suspicious message, please forward it to us at security@yourbank.com. If you believe you may have inadvertently given your password to an unauthorized party, notify us immediately via telephone so we can reset your password and monitor your account for suspicious activity.

Please let us know if you have any questions and thanks for banking with Yourbank.

Regards,

 

Kim Strong
VP Online Customer Service
(888) 255-5515

Sample Educational Email:
Know-the-URL Contest

Audience: All website users

From:                 Yourbank Customer Service
To:      Pat Q. Customer

Subject: Win a Portable DVD player by knowing
              Yourbank’s Web address

To safeguard against imposters posting fake websites, called “spoofing,” it’s important for you to recognize the genuine Web address of your bank:

www.yourbank.com

Sometimes, we may substitute a different “name” for the “www” portion, or we may add a filename after the “.com,” for example::

secure.yourbank.com
www2.yourbank.com
www.yourbank.com/apply.htm

But yourbank.com will always be part of the Web address, also referred to as URL.

We will be calling and emailing online banking customers at random asking them to name the
Web address of Yourbank. To win, all you have
to do is reply:

www.yourbank.com

For a complete list of prizes and contest rules, please follow this link:

www.yourbank.com/know_the_URL.htm

Please let us know if you have any questions. Thanks for banking with yourbank.

Regards,

Kim Strong
VP Online Customer Service
(888) 255-5515

No Phishing

In previous reports we’ve discussed long-term strategies to improve security and prevent unauthorized account access from ID thieves and mass phishers*. While monetary losses from these incursions are relatively small, the bigger issue is lost trust, making it harder to use the online channel profitably. We’ve even heard that a major European bank is considering eliminating all links from its email messages, a move that if widely adopted, would be a major setback to the industry. Before surrendering to the crooks, we recommend some less-drastic approaches involving user education and digital signatures.

We are glad to see banks taking the threat seriously, mounting major user-education effort. However, we caution against overreacting with dire homepage warnings.

Too much emphasis can be just as bad as too little. Statistically, there isn’t a great likelihood that phishing emails will reach their intended victims. Our email address, posted on our website since 1995, receives more than 700 spams per day, but we’ve never seen a fake banking message, although they may have been filtered at our ISP. However, we have received numerous eBay and PayPal fakes.

We are not suggesting you ignore the threat. In the short-term, you must rely on end-user vigilance to prevent damage from phishing. Every financial institution should educate users on the factors influencing email and website safety. We recommend using email messages and a dedicated website security section to do the job. Go easy on the scary homepage messages: a well-placed link to your security section should suffice.

You can be sure the media will do a fine job of creating fear, uncertainty, and dread among your online customers. Your job is to make customers feel more secure, not less.

Jim Bruene, Editor & Founder
jim@netbanker.com

*Mass phishing is sending fraudulent emails to a broad audience hoping to snag a few suckers out of the millions who receive the email. In comparison, a targeted phisher sends a personalized email to a single person, perhaps with knowledge of their card number, or at least the issuing bank, in hopes of gaining additional info.