Phishers are set to have a bumper Christmas this year, as bargain shoppers snap up the bait. In the UK alone almost 2,500 bank account details will be captured and nearly a thousand full identities will be stolen¹.
Trusteer corporation have released their online Phishing analysis results from 10 large banks in the US and Europe over a three-month period and normalised its data per one million users. As per the report, Phishers have managed to confiscate on an average $2,000 (1,225.08 GBP) per compromised online banking account, totalling to $9.4 million per year.
Phishing is very popular amongst cyber criminals due to its fair ease to implement. Just create a fake website that looks almost identical to the original one and start sending emails worldwide, with links that leads to capturing of crucial data to gather payment details.
Last month a 22-year-old bedroom hacker was arrested by the Israeli Defence Force, after he had sent e-mails containing a web-link connecting to phishing sites that mimicked Bank Leumi's and Bank of Israel's websites.
The Virus Lab at Avira (supplier of self-developed security solutions), conducted phishing origin analysis of the last three months. It provided an overview of the spread of phishing attacks and has spotted the most popular "brand-spoofed" companies, which are the current phishing targets world-wide.
APWG (The Anti-Phishing Working Group) has come up with the 1st Half (January-June'09) Phishing Activity Trends Summary that includes some really shocking figures:
Phishing is the act of getting illegal access to somebody's sensitive information such as username, password or credit card details. Phisher's can ask a person to log in and provide his/her personal details in a fake website or link.
Malware is somewhat different from phishing. In short, malware stands for malicious software - software designed to infiltrate or damage a computer system without the owner's permission. It includes computer viruses, worms, trojan horses, spyware, etc.
Since majority of phishers target bank accounts, the UK banking industry, in particular, is working very closely with a number of partners and overseas such as the Serious Organised Crime Agency, Internet Service Providers and software companies to restrict phishing attacks.
How do the phishers know of your bank account?
The shortest answer to this question is they don't. They keep on sending millions of identical "spam" e-mails to people all over the world. They keep looking for targets and once a customer of some bank honestly provides h/her personal information, they get lucky. Spammers gather email addresses from a variety of sources such as web pages, newsgroups and even from sheer guesswork.
What do the banks do to combat phishing?
Banks are suggesting their customers to report them immediately in case they come across a link or e-mail asking for personal details. People must refrain from clicking on any website or log-in form and must notify it to the concerned bank for authentication.
The American Bank has offered some steps to combat phishing in its website: (https://www.americanbank.com/)
"Never give your card, PIN, or account numbers or other sensitive information to anyone. Even if it appears to be legitimate. If you are ever solicited by someone claiming to be from American Bank asking for this information, please do not give them the information and contact us immediately. Our contact information can be found on this website under the 'Contact Us' link or you can report a potential phishing attempt to your area branch."
Last year, London's Barclays Bank has contracted Gemalto, (an Amsterdam-based provider of digital security and smart cards solutions) to supply smart card readers to authenticate its online customers. Since then "Phishing attacks decreased dramatically against Barclays whilst increasing to an all-time high for the U.K. banking industry", reports Sean Gilchrist, the bank's digital banking director.
PayPal, a global leader in online payment solutions, has published some useful tips to make its customers aware of phishing. In its website, httpss://www.paypal.com/in, there's a section: "Questions PayPal will never ask you in an email".
Similarly many other banks in Europe and in other parts of the world are arranging for safe online payment transactions so that the account holders do not fall in the trap set by the phishing gangs.
How do people get their money back, after being Phished?
In case you are robbed by some cyber criminal, you can often get your amount refunded, provided you have to act immediately and let the bank know you are cheated. In the US for example, when an ATM card, PIN number or online banking password is stolen, consumers must report the loss within two days of receiving their bank statement that reflects the fraud, according to "Reg E" (a set of regulations issued by the Federal Reserve that governs online banking, ATM withdrawals and debit card payments).
Consumers who are spontaneous are only liable for $50 (29.96GBP) in losses, while waiting a third day can jump to $500 (299.63 GBP). And if a consumer waits more than 60 days, the liability is unlimited.
The UK government's Fraud Bill targets phishing criminals and allows judges to sentence those found guilty against "participating in fraudulent activity" and "false representation," with prison sentences of up to 10 years.
What are the banks policies on email - Do they send emails?
Hancock Bank, US do not use e-mail notifications to request confirmation of personal information or to direct downloading of attachments. If a person receives such an e-mail, responding to them may put his/her financial information and identity at stake. It is advisable not to respond and instead, forward a copy of that message to: Phished@HancockBank.com
Deutsche Bank, operating in 72 countries, collects email ids through the following modes:
Best possible ways of avoiding phishing attacks:
Unless people themselves are "on their guard", phishers will carry on fraudulent activities and illegal confiscating of large-scale public accounts. E-mail users must be careful before clicking on any link in a message. They should ensure websites are properly encrypted by checking whether or not the web address begins with "httpss" ("s" stands for secure). Always ask yourself do you trust this site and do you trust the computer you are using¡
Symantec's Phishing Report (www.symantec.com) for November 2009 shows that there is 17% increase of phishing attacks from that of the previous month. People are particularly said to be cautious against phishers and spammers, as holiday season is approaching. It's a high time for the cyber gangs to get active in finding new targets via e-mails, social networking sites and online forums.
Suparna Sen, – Smartcard & Identity News
¹ Prediction by online security expert Marcus Whittington of SentryBay.