The message looks official, absolutely genuine. It’s purportedly from a familiar company — it could even be your company — warning the reader that his or her account has been suspended for security purposes and asking them to visit a “secure” Web site to provide credit card and other personal and financial information.
But the message isn’t legitimate. Its originating address — as well as the Web site’s address — has been “spoofed,” carefully disguised to hide its real identity. Both message and Web site are the handiwork of an identity thief on a “phishing” expedition.
Phishing — the practice of using bogus E-mails to separate people from their money — isn’t a new practice. But activity is picking up as phishers hone their talents, produce increasingly realistic E-mails and Web sites, and victimize a growing number of consumers. “They’ve just really taken off, and the bad guys have gotten more sophisticated,” says Hani Durzy, a spokesman for eBay.
The Web auction company, along with its PayPal electronic payments unit, is frequently “impersonated” by phishers. Indeed, before identity thieves can target consumers, first they must impersonate a trusted business — perhaps your business. Besides eBay, hundreds of companies, including such icons as American Express, Citibank, Visa, and Microsoft, have had to deal with business identity theft. “Any company operating in high-transaction volume, business-to-consumer environments is exposed,” says David J. Santoro Jr., senior manager of finance and performance management for consultancy Accenture. “It’s a major threat.”
MessageLabs, an E-mail security firm that monitors corporate Internet traffic, reports that phishing E-mails rose from 279 in September 2003 to 227,050 in January 2004. The scams are proliferating because they can be very profitable for their perpetrators. Some analyst estimates place the success rate of phishing E-mails at about 1 in every 20 recipients.
One reason for the relatively high success rate is that phishers are becoming more skilled at concocting realistic-looking E-mails and Web sites. “A year ago, it was relatively easy to spot it as a spoof E-mail, because of bad sentence structure, bad grammar, misspellings, and things like that,” says Durzy. Today, phisher’s E-mails and Web sites look real enough to fool all but the trained viewer’s eye.
The improved quality of phishers’ lures is a sign that, contrary to widespread conception, most business identity thieves aren’t unemployed young men sitting in their parents’ basements. “The people usually behind the attacks are career criminals in organized rings that deploy numerous schemes in obtaining identities from online and offline sources,” says Santoro.
Phishers use a variety of techniques to target unsuspecting consumers. Unsophisticated operatives adopt a scattershot approach, sending phishing lures to any E-mail address they can get their hands on, usually acquiring the data from legitimate sources such as direct marketing firms. More cunning phishers use E-mail lists of their target business’ customers — often obtained illegally from current or former company employees.
As phishing attacks increase, affected companies are spending a growing amount of time and money dealing with the consequences. Besides the burden of coping with legions of angry victims, companies also suffer less-quantifiable costs in terms of damage to their reputation and credibility. For affected firms, the cost of dealing with attacks can quickly add up. eBay, for example, has more than 800 people in various departments — ranging from fraud investigation to customer service — dealing with business identity theft matters on a full-time or part-time basis.