Although eBay and most other high-profile phishing targets take a very proactive approach to the problem, the immediate reaction of many first-time victims of business identity theft is to make believe the incident never happened or to keep it a secret. Such approaches are doomed to failure, however, since innocent consumers are left in the dark and the problem is just likely to recur and grow. “Businesses have to be open and forthright about these incidents,” says Frank Abagnale, the former identity thief and current security consultant whose fictionalized exploits were the subject of the recent Steven Spielberg movie Catch Me If You Can. “I encourage companies to be honest about the problem and immediately notify their customers,” he says.
When Abagnale client Discover Business Financial Services was alerted to a phishing attack on its Discover Card customers last year, the company launched an immediate information campaign. “Discover told its customers:, ‘If you receive an E-mail like this, please notify us immediately so that we can check your account, put a flag on it or do whatever it is that we need to do,’ ” says Abagnale. “Discover did the right thing; they confronted the problem head-on.”
Hooking the Phishers Themselves
Since phishing expeditions can recur over weeks, months or even years, most companies that suffer an attack want to catch the responsible individuals as soon as possible. But apprehending a phisher is not unlike trying to land a wily trout — both creatures tend to be slippery and are adept at hiding in shadowy places.
In response to the growing number of attacks, law enforcement agencies are starting to give phishing cases a higher priority. “Law enforcement has been stepped up and has become aggressive in fighting this fraud,” says Tim Mohr, a senior manager with New York-based FirstGlobal Investigations, a division of accounting firm BDO Seidman. Mohr notes that the Federal Bureau of Investigation, the Federal Trade Commission, and the U.S. Secret Service have all begun targeting business identity theft crimes. “The most active law enforcement agency is the U.S. Postal Inspection Service, which has been able to use the mail and wire fraud statutes to prosecute,” he notes.
While U.S. law enforcement agencies are becoming more responsive, phishing is a problem that extends far beyond the nation’s borders. Thanks to the Internet’s international scope, business identity thieves can work from almost any spot in the world. Russia, Eastern Europe, and Asia are all major phisher hotspots. Romania has been particularly active; so far, over 100 people have been arrested by Romanian authorities for phishing-related activities. Last September, the U.S. Secret Service and Romanian police apprehended a particularly notorious phisher: Dan Marius Stefan, who established an elaborate network of bogus Web sites and escrow accounts to fraudulently collect nearly $500,000 from eBay customers. Stefan is currently serving 30 months in a Romanian prison.
Although the Stefan case and several other isolated arrests and convictions have made headlines, phisher arrests and convictions remain rare. “Few legal remedies are available to a company that has been victimized,” says Accenture’s Santoro. “Once the crime has been committed, loss recovery is extremely unlikely.”