RSM Resources

The World Wide Web and its universe of e-commerce have become as deeply embedded in our culture as the telephone and PC. The United States alone has more than 203 million Internet users, meaning that almost 69 percent of the American population goes online, according to the market research firm Internet World Stats. This record-setting adoption of technology, however, has opened the door to illegal "phishing" — a new type of fraud that presents real risks to you, your customers and your midsized organization.

Phishing is a form of identity theft where perpetrators steal valuable, confidential information from individuals or companies. By many accounts, it is the fastest-growing crime in America. In2003, U.S.banks and credit-card issuers lost $1.2 billion to phishing scams, according to the Anti-Phishing Working Group, an industry and law-enforcement association focused on eliminating fraud and identity theft. And in 2005, more than 13percent of Internet users said they or a member of their household had been a victim of identity theft, according to The Conference Board.

The Anti-Phishing Working Group says this new crime spree occurs in three main ways:

• Deceptive attacks. Fraudulent e-mail messages and offers trick users into sharing their credit-card information, account user names, passwords and Social Security numbers.
• Malware attacks. Malicious software infiltrates a company’s systems to steal data.
• Domain Name System (DNS)-based attacks. Fraudulent or "spoofed" Web pages draw users from legitimate sites, manipulating them to volunteer private information.

While many phishing excursions are fairly obvious attempts that offer outlandish enticements, online criminals are becoming much more sophisticated. The e-mail security firm MailFrontier projects phishing will grow 25 percent in 2006 to include 1 billion e-mails, yet only 4 percent of Web users can spot a "phishy" e-mail 100 percent of the time. MarkMonitor,a fraud-detection network, reports it identifies approximately 11 million suspicious events every day through data received from the world’s top four Internet service providers (ISPs).

For example, in a recent, broad-based phishing attempt, scammers redirected potential victims to a fake copy of Google’s frontpage with a large message claiming, "You WON $400.00 !!!" The fake page told visitors to collect their prize money by submitting a credit-card number and shipping address. After visitors entered the information, they were sent to Google’s legitimate Web site without knowing they had just surrendered their personal information to scammers.

Businesses can be equally vulnerable. Not only do companies risk the outright theft of client data and funds through phishing,they are in jeopardy of added, indirect costs such as higher demands on customer-service staff and systems, growing operational expenses, and a retreat to more-manual processes if clients are uneasy about the security of their online transactions. Phishing scams also can damage a company’s brand and reputation by misrepresenting its name, image and logo.

Taking action to prevent fraud
In its report, "Online IdentityTheft: Phishing Technology, Chokepoints and Countermeasures," the Anti-Phishing Working Group outlines several steps companies can take to reduce the chances of phishing attacks. These preventive measures include technology solutions as well as simple procedural changes.

Anti-phishing strategies your midsized company should consider adopting include:

• Use high-quality, multilayered security software. This includes Internet browser and Web security protocols, along with anti-virus and anti-spam software.
• Maintain the most up-to-date software releases.
• Educate your employees to look closely at suspicious requests and immediately report any concerns, even if a message appears to come from a trusted vendor or client.
• Publish an e-mail address where customers can forward suspicious messages and provide clear instructions on how to report a suspected phishing incident.
• Monitor call volumes and the nature of questions your customer-service department receives. A sudden spike in certain inquiries, such as a password change without a client’s knowledge, can indicate a phishing attack.
• Watch client account activity for unusual log-in volumes or larger-than-normal transactions.
• Register domain names that are similar to your brands, trademark your Web site domain names, and take action against anyone registering a domain name that could deceptively represent yours.
• Set clear policies on your online practices, such as never asking for personal information in an e-mail. Share these policies with your customers in every e-mail communication and post them on your Web site.

Stay informed
While phishing and other hoaxes will remain a fact of life, the good news is that federal, state and local government and industry groups are joining forces to combat fraud and promote education among businesses and consumers.

Visit these organizations’ Web sites for more information about preventing, identifying and stopping phishing attacks:

• The Anti-Phishing Working Group (www.antiphishing.org/apwg.htm) provides a forum to discuss phishing issues, define the scope of the phishing problem in terms of hard and soft costs, and share information and best practices for eliminating the problem.
• The Internet Fraud Complaint Center (www.ic3.gov/) is a partnership between the FBI and the National White Collar Crime Center with a mission to receive, develop and refer criminal complaints regarding the rapidly expanding arena of cyber crime.
• The Federal Trade Commission (www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm) helps prevent fraudulent, deceptive and unfair business practices in the marketplace and provides consumer information.

Ultimately, some of the best protections againstphishing are the same as those that helped ward off snake-oil andget-rich-quick schemes of old: a healthy dose of skepticism and the awarenessthat, if an offer sounds too good to be true, it very likely is.