This past May 13, I received an email with the subject head “UsBank.com Update! reply under 25 hoursa.” I was advised as a “Dear US Bank Customer,” which I am not, that I needed to update my information. “During our regular update and verification of the Internet Banking Accounts, we could not verify your current information,” the e-mail read. “Either your information has been changed or incomplete, as a result your access to use our services has been limited. To update your account information and start using our services please click on the link below…”
According to Gartner, an estimated 57 million Americans likely have received fraudulent e-mails of this ilk. In a May 6 news release, the Stamford, Conn. research and analysis firm estimated that these so-called phishing attacks by hackers against online consumers cost U.S. banks and credit card issuers about $1.2 billion last year. The dollar figure represents direct losses from identity theft fraud against these phishing attack victims.
The Winnipeg Police Service at press time was investigating two cases where a Trojan horse may be responsible for an online banking scam that has cost at least two Winnipeg customers thousands of dollars when money was transferred unknowingly from their bank accounts. The department also has information pertaining to five other individuals who lost money with the same scam.
Phishing attacks have become more pervasive in the past 12 months. According to a Gartner survey, 76 per cent of the known or suspected attacks occurred within the past six months (since October 2003), and another 16 per cent occurred during the six months before then. Thus the combined results suggest that 92 per cent of these phishing attacks took place in the past year.
“Financial institutions, Internet service providers, and other service providers must take phishing seriously,” said Avivah Litan, vice-president and research director at Gartner. “These service providers should take action to apply solutions that dramatically minimize, if not eradicate, the threat, even if the service providers themselves are not direct targets. Eventually, all participants in Internet commerce will be hurt by an erosion of consumer trust in online transactions if phishing attacks are not sharply reduced from current levels.”
Gartner estimates that about 19 per cent of those attacked, or nearly 11 million U.S. adult Internet users, have clicked on the link in a phishing attack e-mail. Moreover, three per cent of those attacked, or an estimated 1.78 million adults, report giving phishers their financial or personal information. A year ago, Aberdeen Research analyst Jim Hurley predicted that identity theft losses are on track to reach $2 trillion by the end of 2005. “Identity theft is no longer just a consumer problem: if left unchecked, identity theft promises to ruin individual commercial businesses, entire economic sectors, and governments,” read a synopsis of his report.
The size and scope of phishing and ID theft in Canada is currently being assessed and data collected by several watchful eyes within the nation’s financial services sector. A spokesperson for the Canadian Bankers Association noted that it is not just a bank issue. The CBA last fall issued a joint press release with the RCMP to warn the public to be cautious when receiving unsolicited e-mails from a financial institution or any other businesses.
“If you look at identity theft in Canada, there were 13,000 incidents last year up from 8,000 the year before,” said Rosaleen Citron, CEO of WhiteHat Inc. in Toronto. “In the United States there was half a million and that [difference is] because Canadian banks really got it together early on. The cost of fraud is huge so the [banks] want to make sure it’s taken care of. You’ve got five major banks in Canada — there’s over 5,000 in the United States. [The U.S. banks] don’t have the co-ordination and the governing rules and regulations the Canadian banks have put on themselves.”
But should the financial services sector be doing more for their online customers? What more can they do?
Well, some online financial firms are reportedly considering buying in bulk and offering to customers a new product that protects consumers against phishing and other e-mail scams.
My Privacy Policy (MPP) from Privacy, Inc. is downloadable for US$39.95 at www.privacyinc.com. The company says MPP lets customers automatically generate and use virtual e-mail addresses (“v-mail”), instead of their real e-mail address, to manage their online Web site relationships with their financial institutions as well as online merchants and service providers. For each relationship, users can create rules that block, or forward with a warning, e-mails originating from Web sites other than the one with which they intend to transact business. MPP servers strictly enforce these rules before the e-mail is delivered to the user’s actual e-mail address. Depending on the level of privacy selected by the user for that relationship, phishing messages are either blocked or delivered with a clear warning.
Doug Peckover, co-founder and chief scientist of Privacy, Inc. of Dallas, Tex., says his company is in talks with one major Canadian bank and two of the largest U.S. banks regarding their interest in this product which just officially launched in May.
“The value-add is really simple,” Peckover says. “Banks want to protect their customers from financial abuse because typically the bank gets blamed because phishing attempts look like the bank. You typically shoot the messenger and the messenger is the bank. It’s a lose-lose situation.”
In August, the company will launch a product for virtual payments, followed by a third product for virtual deliveries.
— with file from Rebecca Reid
