In Depth

Foiling Phishing

Companies on the front lines of the phishing wars share tactics for protecting customers and employees alike.

By Dragoon Alice

Page 3

For financial institutions, potential losses are higher than for ISPs and other types of companies, since they must also absorb the cost of any resulting fraud. Litan's research revealed that of Internet users who gave personal information to phishing sites, more than half became victims of identity theft fraud. She estimates that phishing-related fraud cost banks and card issuers $1.2 billion last year. Accurate metrics on losses are tough to pin down because companies don't want their competitorsor customersto know the extent of the problem. (Citibank, for instance, won't even share information about its antiphishing efforts.)

The damage goes beyond the substantial dollar losses. Some customers may feel so spooked they no longer want to do business with the company. "It's a question of trust, a question of brand," says Tom Salmond, who manages the E-Banking Fraud Liaison Group at the Association for Payment Clearing Services (APACS), a trade association of U.K. financial institutions.

Litan warns that phishing and similar attacks could slow the growth of e-commerce in the United States by 1 percent to 2 percent in 2005. "The impact is that no one can trust Internet communications anymore," she says. "The whole promise of e-commerceto lower costs, increase revenue and launch [tailored] marketing campaigns more quicklyall that goes out the window if consumers don't trust e-mail communications."You Can't Wait for Sender AuthenticationOne reason phishing e-mails are so convincing is that more than 95 percent of them forge the "from" line so that the message looks like it's from the spoofed company. If e-mail gateways could verify that messages purporting to be from, say, Citibank did in fact originate from a legitimate Citibank server, messages from spoofed addresses could be automatically tagged as fraudulent and thus weeded out. (Before delivering a message, an ISP would compare the IP address of the server sending the message to a list of valid addresses for the sending domain, much the same way an ISP looks up the IP address of a domain to send a message. Litan calls such enabling technology the equivalent of caller ID for the Internet.)

Although the concept is straightforward, implementation has been slowed because the major Internet players have different ideas about how to tackle the problem. Microsoft developed a real-time address verification standard known as Caller ID, while EarthLink and AOL have been pushing the Sender Policy Framework (SPF) approach. Yahoo came up with a third standard, called DomainKeys. In May, the Caller ID and SPF standards merged into Sender ID. A month later, AOL, EarthLink, Microsoft and Yahoo agreed to test each other's standards. Although antiphishing advocates are cheered by this level of cooperation, it will take at least a yearand possibly as long as five to seven yearsbefore all the details are ironed out and the standard is implemented. That implementation requires upgrades to Internet domain servers and e-mail and browser software.