Phishing is the practice of deceiving Internet users into providing sensitive personal information, such as a social security number, bank account number, or pin number, by using e-mails and websites that impersonate a trustworthy institution with a legitimate need for the information. The information can be used by the phishers to commit identity theft or can be sold to identity thieves. Banks are a natural target for phishing fraud because most banks provide Internet banking, which allows identity thieves to use the information they fraudulently obtain to access the victims’ assets through the Internet. This article discusses possible measures that banks can adopt to reduce the risk of phishing attacks.
Phishing has been growing at an alarming rate. In the one-year period between November 2005 and October 2006, the Anti-Phishing Working Group (APWG), an association of businesses and law enforcement officials working to combat phishing, received 402,590 reports of unique, active phishing sites. That represents a staggering 448 percent increase in unique phishing sites compared to the same period a year ago, during which APWG received 89,803 reports of unique, active sites. Similarly, the Gartner Group reported the results of a survey it conducted in November 2006, which showed that the number of Americans who received phishing e-mails increased from 57 million in 2004 to 109 million in 2006. Gartner estimated that the losses from these attacks have grown to $2.8 billion, and that the average loss per victim has nearly quintupled from $257 in 2005 to $1,244 in 2006.1
Unsurprisingly, more than 90 percent of phishing attacks are on financial institutions. In January 2007, seven of the companies most frequently targeted for phishing attacks were banks, though the Gartner study indicated that phishing attacks on banks are declining.2 A 2004 study by Gartner hints at the impact of phishing on banks. The study reported that two million bank customers had their checking accounts raided, with an average loss of $1,200. Under section 205.6 of Regulation E , the Federal Reserve’s implementing regulation for the Electronic Funds Transfer Act, most of the losses from a phishing scam are borne by the bank rather than the customer, depending on when the customer notifies the bank of the unauthorized transaction. Gartner said that online banking fraud accounted for most of those losses. The Gartner study also discussed the secondary costs of phishing scams, including increased employee time responding to telephone inquiries from customers affected by a phishing scam.
In a typical case, the identity thieves send out mass e-mails to consumers purporting to be from a legitimate company with which the consumer might do business, such as a bank or a payment service like PayPal. The e-mail will typically ask the customer to verify account information using a pretext, such as "It has come to our attention that your PayPal Billing Information records are out of date. That requires you to update the Billing Information." Most phishing e-mails will also threaten that the consumer’s account will be suspended or terminated if the account information is not verified.
The e-mail will contain a hyperlink with a web address that appears to be a legitimate variation of the actual company’s address. The link inside the e-mail will either appear similar to the web address of the legitimate company the phisher is impersonating or will appear to be the actual uniform resource locator (URL) of the company being spoofed. Most users assume that if a hyperlink appears as a URL (e.g., https:\www.bank.com), the link will automatically take the user to that URL. In fact, the Internet’s language for coding and displaying information (known as hypertext markup language, or HTML) does not require any relationship between the information displayed in a link and the underlying URL behind the information displayed.
The creation of a counterfeit website is a relatively simple matter. The website of a bank, consisting of text, graphics, and other information, is transmitted in its entirety when a user browses the company’s website. An HTML editor can save all of the information transmitted, including the graphics, which can then be used to create a counterfeit site that appears identical to the website of the bank being impersonated. Some phishing sites even display the actual graphics of the bank’s website they are impersonating by linking directly to the graphics of the bank’s website.
Regrettably, the variety, sophistication, and evolving nature of phishing scams do not lend themselves to a single magic bullet to prevent them from happening. Instead, the best solution is to employ a multi-tiered approach that banks and their customers can initiate.
Multifactor authentication. In October 2005, the Federal Financial Institutions Examination Council (FFIEC) issued guidance on authentication procedures for Internet banking.3 Many banks use single-factor authentication for Internet banking (meaning verification based on only one factor, such as information the customer possesses, like a username and password). Multifactor authentication requires that two or more authentication factors be used to access an account. A second factor might be something the customer has, such as a token. A third factor might involve the use of biometrics, such as a fingerprint or eye scan.
The guidance stated that "where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks." FFIEC further stated that single-factor authentication is inadequate for high-risk transactions involving access to customer information or the movement of funds. To clarify the guidance, FFIEC issued "Frequently Asked Questions" on August 15, 2006, that address many questions generated by the original guidance.4
Most Internet-based financial services use single-factor authentication, usually a password, for customers to access their accounts. If an institution relies only on single-factor authentication, transactions lack adequate protection for sensitive consumer information and funds. When a customer is tricked into disclosing a password, a thief could use the information to access the customer's accounts and potentially transfer funds.
While regulatory guidance, by definition, is not mandatory but merely suggestive, many banks are implementing multifactor authentication.5 Multifactor authentication adds an additional level of security to the logon procedure. While multifactor authentication is still subject to phishing attacks, it makes phishing more difficult. For example, if the phishing site tricks a customer into providing a username and password, and the bank site also required a hardware token, it would be more difficult, though not impossible, to gain access since the phisher cannot obtain the token from the consumer through a phishing e-mail.6
By making it more difficult for phishers to attack a bank website, multilevel authentication also has a deterrent value. Phishers conducting surveillance of a bank’s website might conclude that it would be easier to target a bank with weaker security. It is analogous to the car thief who avoids cars known to have a high level of security and instead targets ones with little or no anti-theft technology.
Education programs. The success of phishing rests on the odds that a certain percentage of consumers will respond to deceptive e-mails. Because these scams are propagated through sophisticated social engineering tactics, technology alone cannot stop the problem. Educating bank customers about the existence of phishing schemes and steps that customers can take to minimize their risks are key elements in preventing phishing schemes.
Banks should be proactive in educating their customers about ways to avoid phishing scams. Because phishing scams often target online banking customers, bank websites provide a good medium to communicate with them. Banks should remind their customers of safe practices to follow when using the Internet. Banks can then monitor the number of hits to the warning link to determine whether customers are reading them. If the hits are relatively low, because some customers do not always click on separate links on bank websites, banks could also incorporate the warnings into the logon procedure to ensure customers are receiving them.
Banks must walk a fine line with education because they want to inform their customers without alarming them. The information in educational warnings could result in some customers avoiding online banking for fear of identity theft. Banks obviously do not want to scare their customers away from Internet banking, especially since it is less expensive for banks to conduct transactions on their websites than in branches with tellers. Each bank must determine the appropriate balance in preparing educational materials that inform customers of safe practices to follow without causing undue alarm.
Many banks believe that customer education is a key tool. Alecia Kontzen, director of e-commerce risk at Wachovia, relies heavily on consumer education to help prevent phishing attacks. Wachovia uses a rotating marketing campaign on Wachovia’s website, which has received many hits. She also emphasizes employee training for responding to phishing reports from customers.7 Some banks also include educational materials in customers’ monthly statements and periodically conduct educational seminars.
Other prevention techniques. Banks can also be proactive in detecting phishing scams before they occur. Phishing scams are increasingly being executed from abroad. Therefore, since IP addresses reveal the country from which the user is accessing the Internet, banks should monitor customer IP addresses for unusual activity when they attempt to log onto the bank’s website. For example, if a customer always banks from the same IP address in Texas, and one night the bank receives a wire transfer request for that account at 2:00 a.m. from an IP address in Korea, the bank’s systems could be programmed to suspend the account temporarily while the bank contacts the customer to verify the proposed transaction.
Some banks also hire third parties to monitor domain name registrations. Phishers will often register a domain name with a slight variation of the URL of the bank they are attempting to spoof, hoping that the slight variation will deceive customers into thinking they are banking on the legitimate site. If a bank learns of the registration of a suspiciously similar name, it can reasonably infer that a phishing site is likely being developed and respond accordingly. Some third-party vendors also offer services in which automated Internet software applications, known as "Internet bots," search for websites similar to the bank’s website.
Other initiatives companies can undertake to protect against phishing include employee education, computer security enhancements, e-mail filters to prevent phishing e-mails from reaching bank employees, and other practices that can help reduce the risk of phishing attacks.8
Banks should also stay well-informed about new developments in phishing fraud because phishing scams tend to evolve over time as identity thieves attempt to adapt their practices to newer security measures. The APWG maintains a newswire with recent developments in phishing and offers other resources to help combat phishing.
Anti-phishing toolbars and browsers. One important customer initiative to combat phishing is anti-phishing toolbars and web browsers that can detect phishing websites and alert the user. Currently, about 12 different phishing toolbars are available.
Because consumers must load anti-phishing toolbars onto their home computers, an important issue for banks is how they can encourage their customers to install them. One option is for the bank to list information about toolbars on its website, with a link to download them.
The toolbars typically employ one of two different approaches to determining whether a user is visiting a phishing site. The first approach, known as blacklisting, compares the uniform resource locator (URL) a consumer is browsing against an updated registry of known phishing sites. If the web address appears in the registry, the toolbar warns the user. Some toolbars also employ whitelisting, in which a URL is first checked against a list of legitimate websites. If the URL appears on the list of safe sites, the user is notified that the site has been verified. If the URL does not appear on the white list, the toolbar checks it against the blacklist. If the URL appears on the blacklist, the toolbar warns the user.
The second toolbar approach uses heuristics, in which a rule-based algorithm examines whether a website has suspicious characteristics common to phishing sites and alerts the user if it determines the site is a likely phishing site. For example, if a site has multiple links to graphics on other Internet domains, particularly sites that are frequently impersonated like eBay and PayPal, the algorithm will conclude it is likely a phishing site.9 Most of the graphics used on a website should be on the same domain as the website. Linking graphics to external websites on different domains is a sign of a phishing website. Some toolbars will also display the country hosting the website. If a consumer’s bank is based in Johnstown, Pennsylvania, but the toolbar says the site is originating in Russia, that information will help alert the consumer that the webpage is likely a phishing site.
Another important issue is the difference in the effectiveness of toolbars. In a recent article, "Phinding Phish: An Evaluation of Anti-Phishing Toolbars" , researchers at the CyLab at Carnegie-Mellon University evaluated the effectiveness of 10 toolbars in detecting phishing sites. The study found that three of them detected 75% of the phishing sites tested, while four detected less than 50% of the phishing sites. One toolbar, relying solely on heuristics, had a high rate of detecting phishing sites, but also made a significant number of "false positives," in which a legitimate site was incorrectly flagged as a phishing site. Banks should consult with their IT and legal departments for the best way to address these issues.
Web browsers are also joining the effort to combat phishing. The latest editions of the major Internet browsers have built-in anti-phishing filters. Some browsers use a blacklist by default. Others use heuristics in addition to a blacklist to detect phishing sites. Typically, if the browser detects a site that it believes to be a phishing site, it will alert the user.
The method a toolbar or browser employs to detect phishing sites is important because some identity thieves have already developed a response that significantly diminishes the effectiveness of the blacklist approach. In a new technique dubbed "Rockphish," some phishers are continuously changing the web address of the phishing site through the use of "botnets."10 Because blacklists check a web address against a database of known phishing sites, a phishing site whose web address constantly changes renders the blacklist ineffective. As a result, some experts recommend that users employ toolbars and browsers that do not rely exclusively on blacklists but that also employ heuristics.
Phishing attacks remain a significant concern for banks. While no single magic solution exists to prevent them from happening, and the attacks will continue to evolve, banks can employ a multitiered approach to reduce the risk of such attacks being successfully executed. This approach could include multifactor authentication, customer and employee education, web monitoring for suspicious activities, and encouraging customers to use an anti-phishing toolbar and/or browser.
The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.