In Depth

Foiling Phishing

Companies on the front lines of the phishing wars share tactics for protecting customers and employees alike.

By Dragoon Alice

Page 2

Specific legal measures are percolating (such as the Anti-Phishing Act of 2004, a bill proposed to the Senate in July), but will take time to implement and enforce. Although technological solutions are on the horizon, they won't be in place for at least a year, and quite likely not for two or three. In the meantime, there are measures CSOs and CISOs can put in place to stanch the billions of dollars in potential losses to their employees, customers and companies. Here's a look at the current state of phishing, why it's such a serious threat to e-commerce, and what companies on the front lines of the phishing wars are doing to minimize the risk.Lost Dollars, Lost TrustWhile early phishing attempts were crude, with telltale misspellings and poor grammar, phishing e-mails have become remarkably sophisticated in recent months, sending recipients to fake sites that are replicas of the sites they're spoofing. Fake status bars make it look like a website is secure, or e-mails and webpages contain viruses with keystroke loggers that capture customers' online banking passwords. Plausible-looking "cousin" domains like aolaccountupdate.com or mycitibank.net are registered by would-be thieves, not AOL or Citibank. E-mail links send customers to fake log-in pages that use a phished company's logo and images. Phishers even direct recipients to a well-known company's real website, but then collect their personal data through a faux pop-up window that ships it to a server overseas.

"I've been to meetings of industry experts where it's taken them minutes of studying an e-mail from a phisher site to determine that it's not the actual site," says John Curran, supervisory special agent with the FBI's Internet Crime Complaint Center. "You can't expect the average person sitting at home surfing the Internet or doing online banking to be suspicious of an e-mail that convincing.''

The cost of an attack can add up quickly. Companies that are targets must deal with huge spikes in call center volumes as customers call either to voice their suspicions or question why the company needs their account data. APWG's Jevans knows of one financial services company that received 70,000 calls an hour for 12 hours when it was hit with its first phishing attack. In addition, companies must alert consumers, work with ISPs to shut down the phisher site quickly and follow up with law enforcement to try to nab the perpetrators. For customers who fall for a phisher's lure, companies must also reset their passwords and help them deal with the repercussions of any phishing-related fraud. At EarthLink, which suffers an average of eight unique phishing attacks each month, the cost per attack is more than $40,000.