Phishing: An Insidious Threat to Financial Institutions

Phishing scams—the use of fake E-mails to dupe people into yielding up their account numbers and passwords—is on the rise. Hijacking brand names of banks, e-retailers and credit card companies, phishers often convince recipients to respond. Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware.

During the month of November, according to the Anti-Phishing Working Group, 17,000 unique phishing reports were received and 1,000 password-stealing code URLs identified—both records. Financial services continues to be the most-targeted sector accounting for 90% of all attacks.

Fortunately, a combination of technology solutions exist to detect and thwart phishing attacks. The long-term solution lies in law enforcement and industry resources being able to quickly identify and shut down attackers, as well as governmental intervention in countries in Asia and Eastern Europe where organized crime is rampant. Yet there are a number of steps that individual institutions can and should take to identify the various scams.

The first thing to understand is that phishing is ultimately a variant of social engineering, in which victims are fooled into divulging information that can be used to loot accounts or create other mayhem. "User's lack of awareness is perhaps the highest contributor to the success of phishing," according to a report, "Phishing: A New Age Weapon, put out by the Open Web Applications Security Project (OWASP) ( Other contributors include easy accessibility to e-mail addresses and ease-of-use of technology. Indeed, phishing ranks as a rather low-tech form of electronic crime. Easily available web technologies enable attackers to quickly build and deploy fake websites. Attackers can easily modify the "FROM" address in an E-mail to make it appear to come from a genuine source, says the report. Also, vulnerabilities in browsers such as Internet Explorer allow for Web sites to be spoofed, a phenomenon known as pharming.

The Federal Deposit Insurance Corp. in a Dec. 2004 report ("Putting An End to Account-Hijacking Identity Theft," provides the following stats:

• Up to 5 percent of the recipients of spoofed e-mails respond to them. An estimated 19 percent recipients have clicked on the link in a phishing e-mail.
• Most, if not all, large financial institutions and electronic bill-paying services have been hit with phishing attacks.
• Attacks originate overseas.
• The average life span of a phishing website is 2.25 days, which makes the sites hard to shut down.

In addition to phishing, the FDIC said, attackers can resort to other methods to steal information, such as hacking, retrieving hard-copy documents or looking over someone’s shoulder, using insiders, and loading malicious software onto a computer used by consumers.

The FDIC report attributes the wave of phishing attacks to a combination of lax security practices and technology loopholes. "The financial services industry’s current reliance on passwords for remote access to banking applications offers an insufficient level of security," said the report.

There are two major reasons why phishing and other types of attacks have been used more and more and with growing success. They are to perpetrate identity theft, and particular account hijacking: user authentication by the financial services industry for remote customer access is insufficiently strong, and the Internet lacks E-mail and Web site authentication.

The relative anonymity of the web makes it difficult to locate culprits, according to the OWASP report. Attackers can quickly launch a phishing attack and clear all traces equally fast. Existing antispam software and content filters are ineffective in detecting and stopping phishing e-mails. Moreover, most currently deployed web applications lack any anti-phishing features.

The implementation of appropriate authentication methodologies should start with an assessment of the risk posed by the institution’s internet banking systems, according to guidance published in October by the Federal Financial Institutions Examination Council ( The risk should be evaluated in light of the type of customer (e.g., retail or commercial); the customer transactional capabilities (e.g., bill payment, wire transfer, loan origination); the sensitivity of customer information being communicated to both the institution and the customer; the ease of using the communication method; and the volume of transactions.

An effective authentication program should be implemented to ensure that controls and authentication tools are appropriate for all of the financial institution’s internet-based products and services. Authentication processes should be designed to maximize interoperability and should be consistent with the financial institution’s overall strategy for internet banking and electronic commerce customer services. The level of authentication used by a financial institution in a particular application should be appropriate to the level of risk in that application.

About the Author

Andrew Miller

Andrew Miller is a freelance writer specializing in financial services and information technology. He holds an MBA from Columbia University and a Master's in computer science from Rensselaer Polytechnic Institute. He has held jobs at CMP Media, MetLife, and Gartner.

Around the Network