Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Fighting Phish, Fakes and Frauds

The Internet makes identity theft almost laughably easy. Phishing - or the practice of sending e-mails and using fake Web sites that spoof a legitimate business in order to dupe unsuspecting customers into sharing personal and financial data - requires minimal effort and capital.
Page:

Companies on the front lines of the phishing wars share tactics for making their sites spoof-proof and protecting online transactions.

Reader ROI

  • Why phishing is a major threat to future e-commerce
  • How you can protect your employees and customers from phish attacks
  • What you can do to make your Web site a difficult target

On June 25, an e-mail that appeared to be from the PayPal Support Centre asked members of the online payment service to update their account information to protect themselves from fraud. Failure to update records by July 15, the message read, would result in account suspension. Recipients who clicked on the embedded link encountered a familiar PayPal log-in screen, then an announcement of a new immediate payment option as well as a ho-hum notification of changes to PayPal's user agreement and privacy policy.

All standard PayPal fare. So, few customers would have thought twice about filling in the online form that followed - even though it asked them to cough up their e-mail address and PayPal password, credit card number and expiration date, billing address and phone number, cheque account number, ATM code, Social Security number, birth date and mother's maiden name. Upon hitting the "Continue" button, the PayPal member would have been greeted with an "Updating Your Account" screen for a few seconds before landing on a replica of a general PayPal page.

It was all so convincing that respondents might never have suspected that the online form they just completed was on its way to a crook in Seoul. Those who did reply gave away access to their PayPal account, credit card and cheque accounts, and quite possibly enough information for the fraudster to take out a second mortgage on their homes.

The Internet makes identity theft almost laughably easy. Phishing - or the practice of sending e-mails and using fake Web sites that spoof a legitimate business in order to dupe unsuspecting customers into sharing personal and financial data - requires minimal effort and capital. "A lot of drug lords are getting into phishing," says Avivah Litan, a vice president and research director at Gartner. "They set up phishing rings because it's easier and more lucrative than selling cocaine."

Not surprisingly, the incidence of phishing is growing at an alarming rate. In June, the Anti-Phishing Working Group (APWG), an industry group, counted 1422 phishing attacks - more than 12 times the number of attacks reported in December. So far, phishers have mostly targeted customers of large banks, credit card companies, online payment services, ISPs and online retailers. In June, Citibank alone was the target of 492 attacks, and eBay experienced 285 attacks. PayPal was targeted 42 times in February, 63 in March, 135 in April, 149 in May and 163 in June. But any company with a recognizable brand name could very well become the next target. Government agencies, including the IRS and the FBI in the US, have been spoofed by phishers eager to capitalize on governmental authority to make an easy profit. In fact, even internal corporate data is becoming a target for phishers, as executives at Wyndham International discovered when a message purporting to be from the hotel chain's IT department asked employees to verify their corporate passwords.

"Spoofing is a threat to any company with a sizeable customer base," says Ken Miller, vice president of risk management at PayPal. "Every CIO needs to be aware of this issue."

Indeed, phishing has scared some consumers so badly that they say they're not going to bank online any more, says Dave Jevans, APWG chairman. Although technological solutions are on the horizon, they won't be in place for at least a year, and quite likely not for two or three. In the meantime, there are measures CIOs can put in place to staunch the billions of dollars in potential losses to their customers and companies. Here's a look at the current state of phishing, why it's such a serious threat to e-commerce and what companies on the front lines are doing to minimize the risk to their customers and brands.

Page:

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: ABN Amro, AOL, AT&T, AT&T, AT&T Wireless, Billion, Charles Schwab, CipherTrust, Citibank, City Bank, EarthLink, eBay, E*Trade, FBI, Federal Trade Commission, Fidelity Investments, Financial Institutions, FTC, Gartner, HIS Limited, HSBC, IBM, INS, IRS, IRS, Mastercard, Microsoft, Motion, NAB, Nordea, PayPal, PostX, Promise, RSA, RSA, The Security Division of EMC, Schwab, Siebel Systems, US Federal Trade Commission, VIA, Vigilance, Wachovia, Wyndham International, Yahoo

Comments

1

boks

Wed 05/05/2010 - 20:28

as for me I use ProteMac LoginTrap for theft identity protection

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • The Value of Information: Business Decisions
    Traditional data-storage approaches are geared toward delivering structured data to management and knowledge workers through business intelligence and performance management applications. But CIOs need to look at the enterprise information taxonomy in a much broader context. External and internal information has to be collected, managed, and provided to many internal and external stakeholders. In addition, storage capacity is challenged by an almost exponential growth of unstructured data, such as audio and video files.
    Learn more »
  • Pathways Business Brochure 2012
    Tailored learning and development program for organisations looking to build business acumen within their Key ICT executive. The course curriculum is designed in conjunction with the specific requirements the enrolling organisation.
    Learn more »
  • IBM Tivoli Storage Manager for Virtual Environments - Advanced Data Protection for VMware ESX Environments
    Server virtualization is taking hold in companies of all sizes, and VMware is one of the more popular hypervisors adopted by IT organizations. While VMware server virtualization continues to gain momentum, IT organizations still have some hurdles to overcome if they are to deploy virtualization more widely across the enterprise. Backup and recovery of virtual server environments ranks highly as a top initiative and area of investment—a major focus for a growing population of corporate IT organizations expanding the use of virtualization to incorporate more tier-1 production applications. This paper introduces Tivoli Storage Manager for Virtual Environments (TSM for VE), IBM’s solution for optimizing backup and recovery in VMware installations.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.

HP and IDG news, product videos and resources