White Paper: CheckFree Emerging Issues and Trends

Emerging Issues & Trends:
The Phishing Phenomenon By John Tomaszewski

(Outhead) Scams and scammers existed long before the Internet. Perpetrators simply have adapted their methods as society and communication methods changed.

Before computers, there were fraudulent scams that reached victims via newspaper ads, door-to-door salespeople and mail, phone, credit card and fax solicitations and schemes — to name a few. The advent of the computer and the Internet conveniently offered just another communication avenue to reach potential victims.

Early hackers were typically teenage boys who tested their skills by trying to break into secure databases. (High school film hero Ferris Bueller illustrated this when he enhanced his “permanent record” by hacking into the principal’s office computer on his infamous day off.) The next generation of hackers saw technology professionals exposing weaknesses in business or government security for reputation or notoriety. “White hats” made a business of reporting holes, “black hats” by committing crimes. The current generation of hackers finds criminals and organized crime, many times located outside the United States, planning well-orchestrated attacks for monetary gain. Businesses, banks and government are not always the targets. Now that these institutions have beefed up security, the weakest link is consumers. That is where scammers focus today.

Just as unwary fish become caught in fishing lines, a growing number of today’s consumers are finding themselves entrapped by online fraud scams — hook, line and sinker. In the sea of online communication and commerce, fraudsters set their hooks and nets to catch unsuspecting consumers, using e-mail scams, “phishing” and “pharming” to gather personal data.

Phishing: Casting lines for financial information

The latest threat to consumers is what is known as “phishing,” an online scam that fishes for, and catches, information utilized for committing identity theft. Phishing uses spammed e-mails and fake websites to make consumers think they are dealing with a legitimate business so they unwittingly provide their confidential identifying and account information to the fraudsters. A take-off on “fishing,” phishing means that hooks are baited and cast to consumers whose names are on e-mail lists scammers have obtained from various sources. Scammers know that most will ignore the bait, but a few will bite — enough to make the expedition worthwhile.

Here is how a typical phishing scam works: A fraudster picks a financial institution, retailer's web store or other similar organization and targets its hundreds of thousands of customers — or a similar-sized list of unrelated consumers — so the odds are good there are existing customers who may respond. The fraudster sends a legitimate-looking and -sounding e-mail telling recipients that they need to update or validate (re-enter) existing or accidentally deleted information. If they do not, they are warned that their service, account or recent order will be cancelled...

The hook: Spammed e-mail

The proliferation of e-mail as a marketing vehicle led to the idea that if you could touch enough people and a small percentage responded, there would be a viable return on investment. Consequently, we are now inundated with advertisements for everything from stock advice to sex-enhancing drugs...

Phishing originally attempted to collect private information by asking the recipient to reply by e-mail with the desired information. After many target institutions issued notices that they did not request information of a sensitive nature via e-mail, phishers realized that their next step should be creating a scheme that includes a web presence, taking victims to a separate URL.

The net: "Pharming" or spoofing websites

Today, most phishing techniques include a "spoofed" website — one looking like the target website but controlled by the phisher. An e-mail directs the unwary consumer to click a link and visit the spoofed site. Usually the e-mail has a button or other link that takes the recipient to the spoofed website...

[Followed by 10 pages discussing the problem's size and impact, resources and regulations fighting the problem, reasons phishing works, solutions, and solution pros and cons — before heading into the following section outlining recommendations.]

The multiple-pronged solution

While there is no magic bullet or any one solution that will stop phishing today, there are a number of solutions combining industry leadership, technology and human behavior change that can attack different aspects of the problem. Included below are multiple solutions that could help minimize the success of phishing attempts.

Business solutions

Businesses can take several steps to protect themselves and their customers, as well as help plug phishing holes:

• Team up their technology and marketing/public relations officers to form a comprehensive attack against phishing that includes consumer education
• Research and implement technology measures that work for the business, including combining passwords and watermarking on websites
• Contribute data to industry initiatives — such as input for databases of e-mail authentication programs like Sender ID

Technology provider solutions

Backbone providers, ISPs and other Internet-service companies can develop and implement protective services and systems such as filtering, scanning and authentication. They also can join forces with trade associations to improve areas of shared responsibility to close doors. However, any of these solutions should be adapted to market need and consumer expectations.

Legislative and enforcement solutions

Legislators can continue to define consumer protections and write laws that deter crime and allow law enforcement to remove criminals from the marketplace. As high-tech scams evolve, our laws and enforcement need to evolve, as well. Because phishing is a global problem, we also need to team up with specialists in other countries.

Consumer solutions

Last, but not least, consumers can join the fight. As consumers, we all must devote time to learn the basics of phishing and take steps to help protect our confidential information, computers, connections and identities against fraud. Security software, firewalls and a questioning mindset are critical first steps — with self-detection and fast resolution response necessary to minimize losses when victimized.

Summary

Businesses, Internet companies, technology providers, legislators, regulating agencies and consumers together must create a “tackle box” containing multiple tools. If we begin to address both the technology and human components and work together to change processes starting today, then tomorrow we can reduce the number of holes fraudsters use to their advantage. And, if we aggressively continue our charge, someday we may even be able to completely sever phishing lines so that there is no bait, no hook, no net and no victims.

[Followed by 27 end notes — FTC, FDIC, ISP, software development, tech research, media and trade publication sources]

About the Author

John Tomaszewski is the Chief Privacy Officer for CheckFree, the leader in electronic billing and payment. In this role he is responsible for developing, implementing and maintaining CheckFree’s privacy program…

About CheckFree

Founded in 1981, CheckFree Corporation (NASDAQ: CKFR) provides financial electronic commerce services and products to organizations around the world. CheckFree solutions enable thousands of financial services providers and billing partners to offer their customers the convenience of receiving and paying their household bills online or through retail outlets. CheckFree also offers a broad range of investment management solutions and outsourced services to thousands of financial services organizations, which manage more than $1 trillion in assets. CheckFree provides bank payment processing, compliance, operational risk management, financial messaging and corporate actions solutions to maximize operational efficiency and minimize risk for global financial institutions and corporations. For more information, visit...