Phishing" and "pharming" attacks against banks and other financial institutions are a high-tech version of an age-old form of fraud that can only be thwarted by consumer awareness, not software, according to technology experts. "There are going to be some clever ways that people will try technologically to solve this problem, and they will not be terribly successful," said Tim McKellips, manager of education and information worker solutions for Madison-based Inacom Information Systems. "Scams have been around for hundreds of years. People pretending to be other people is a fraud that predates the telephone, let alone the Internet."
A phishing or pharming attack occurs when a consumer receives an e-mail that appears to be from a bank or other financial institution. The person is asked to respond to the e-mail with personal information or is directed to a Web site that appears to be legitimate.
Phishing and pharming attacks are similar plots in which those committing fraud try to obtain personal information from other people voluntarily, including Social Security numbers, addresses, phone numbers and account numbers. Then they use that information to steal the victim’s identity.
Phishing is the equivalent of cold calling, McKellips said. When people phish, they are throwing a line out into cyberspace to see who takes the bait. They don’t know who is a customer of the companies they pretend to be, such as MasterCard or JPMorgan Chase. However, since those companies are so large, phishers send out millions of phony e-mails, hoping that some customers of the company who receive it will respond with personal information, McKellips said.
Phishing attempts receive, on average, a 3 to 5 percent click-through rate, and the average financial loss for a consumer is $1,000, said Kelly Hansen, chief executive officer of Neohapsis Inc., a Chicago-based technology security company with an office in Milwaukee.
"If I send out 1 billion e-mails and only 1 percent of people respond with their personal information, that is 100,000 people," McKellips said. "So if I send out 1 million e-mails, I could get 1,000 responses."
Pharmers want the same outcome as phishers but use a more concentrated tactic. They either scrape a Web site for information or install spyware or a virus on a computer system that will capture where users are trying to go on the Internet.
Pharmers then take that data on an individual basis and use it to create an illusion that they know who an individual is when they send an e-mail, McKellips said.
Phishing and pharming attackers commonly pose as eBay Inc., PayPal Inc., banks and other companies to lure consumers because some people do not question why these companies would want their personal information. The companies also cater to a wide array of consumers giving an attacker more potential targets.
The first warning sign of a phishing or pharming attack could be if an e-mail that appears from a bank or financial institution asks for information, McKellips said.
"A bank that lost your information will not contact you for more information," McKellips said. "There is an article of reflectivity that is lost where the consumer should ask, ‘How do they know this is really me?’"
If individuals were approached on the street or by phone and asked to give out their personal information, they would most likely refuse or ask questions, McKellips said.
"What needs to take place is better user awareness," Hansen said. "If consumers know not to expect any type of e-mail correspondence from their bank, then they are less likely to send out their credentials."
The simple way to avoid phishing attacks is to not click on links that come in e-mails unless you have no doubt that the e-mail is from a trusted, legitimate source, said Josh Heling, chief technology officer of SecurePipe Inc., a Lincolnshire, Ill.-based security consulting company.
"When in doubt, contact the bank," he said. "They have the biggest interest of all to try to limit phishing because it causes them trouble. Their hope is to have more people enroll in e-banking."
Another way to spot a fraudulent e-mail is to look at the Web address. Attackers that are redirecting individuals to a Web site have set up a site that looks authentic but has a spelling error in the address or even on the site, Heling said.
The spelling error in the Web address indicates that the site is false, and spelling errors on the site can be an indication that the site is not legitimate, McKellips said.
Technology will never be able to eliminate phishing and pharming, or other types of fraud, because as society creates new technologies to use for good purposes, thieves also adapt, said Dan Kattman, an Internet lawyer with Reinhart Boerner Van Deuren, S.C.
"For every new attack, there are new ways to stop it and this will probably continue," Kattman said. "At the same time, educated consumers and companies that have policies in place to inform customers are not going to be sucked in and will recognize (phishing and pharming) as soon as they are informed. That is the best way to deal with it."
The amount of attacks is constantly increasing, and attackers continue to pose as smaller banks and financial institutions and even smaller companies, Hansen said. Consumers should be prepared to deal with the issue ahead of time before there is a problem.
Kattman helps clients set up policies regarding phishing and pharming attacks to instruct employees and customers about what they should and should not do online, he said.
"There is an acute need now for people, even with small banks, to be wary," Hansen said. "E-mail is not a way for people to conduct business and is highly suspect. Call and verify if you get an e-mail or delete it, and if the company wants to reach you, they will probably do so by phone."
Other efforts that banks and financial institutions are taking include offering customers a personalized Web site, Hansen said. Once a customer signs in with a password, a downloaded or chosen photo of the customer’s choice will appear on the page. If the photo does not appear, the customer should see it as a warning that the site is not legitimate, Hansen said.
"It is so easy to do a phishing attack and pretty tricky to take them down," Hansen said. "There is technology available that will help, but most organizations do not have them in place yet. The technology is there, but it is very expensive to deploy, and a lot of institutions are concerned that customers do not want to pay for it."
E-mail is not the only thing to watch out for. Phishing attacks can happen in multiple forms on the Internet.
"(Consumers are) better off investing in some decent spam and virus blockers and spending time to get to know their computers," McKellips said.
A large reason why people fall victim to phishing and pharming is because they cannot see or hear the person on the other end, McKellips said. Because it is the consumer that ultimately is at fault and not the company that a thief was pretending to represent, consumers need to take responsibility and be more cautious on the Internet, technology experts say.
Consumers should never give their personal information out over the Internet unless they are completely sure that the site is secure, because the result can be lost savings, identity theft or worse.
"In the security world we talk about the seven layers involved in network security," McKellips said. "The layers are very technical and each does something different for the network environment, but the most dangerous layer is layer eight. The end user. Biological engineering is much more frightening."
July 8, 2005, Small Business Times, Milwaukee, WI
