Lost Dollars, Lost Trust

While early phishing attempts were crude, with telltale misspellings and poor grammar, phishing e-mails have become remarkably sophisticated in recent months, sending recipients to fake sites that are replicas of the sites they're spoofing. Fake status bars make it look like a Web site is secure, or e-mails and Web pages contain viruses with keystroke loggers that capture customers' online banking passwords. Plausible-looking "cousin" domains like aolaccountupdate.com or mycitibank.net are registered by would-be thieves, not AOL or Citibank. E-mail links send customers to fake log-in pages that use a phished company's logo and images. Phishers even direct recipients to a company's real Web site, but then collect their personal data through a faux pop-up window that ships it to a server overseas.

"I've been to meetings of industry experts where it's taken them minutes of studying an e-mail from a phisher site to determine that it's not the actual site," says John Curran, supervisory special agent with the FBI's Internet Crime Complaint Centre. "You can't expect the average person surfing the Internet or doing online banking to be suspicious of an e-mail that convincing.''

The cost of an attack can add up quickly. Companies that are targets must deal with huge spikes in call centre volumes as customers call either to voice their suspicions or question why the company needs their account data. APWG's Jevans knows of one financial services company that received 70,000 calls an hour for 12 hours when it was hit with its first phishing attack. In addition, companies must alert consumers, work with ISPs to shut down the phisher site quickly and follow up with law enforcement to try to nab the perpetrators. For customers who fall for a phisher's lure, companies must also reset their passwords and help them deal with the repercussions of any phishing-related fraud.

Potential losses are particularly high for financial institutions since they must also absorb the cost of any resulting fraud. Litan's research revealed that of Internet users who gave personal information to phishing sites, more than half became victims of identity theft fraud. She estimates that phishing-related fraud cost banks and card issuers $US1.2 billion last year. Accurate metrics are tough to pin down because companies don't want their competitors - or customers - to know the extent of the problem. (Citibank, for instance, is so sensitive about the problem that it won't even share its phish-fighting remedies.)

The damage goes beyond dollar losses. Some customers may feel so spooked that they no longer want to do business with the company. "It's a question of trust, a question of brand," says Tom Salmond, who manages the E-Banking Fraud Liaison Group at the Association for Payment Clearing Services (APACS), a trade association of UK financial institutions.

Litan warns that phishing and similar attacks could slow the growth of e-commerce in the United States alone by 1 percent to 2 percent in 2005. "The impact is that no one can trust Internet communication any more," she says. "The whole promise of e-commerce - to lower costs, increase revenue and launch [tailored] marketing campaigns more quickly - all that goes out the window if consumers don't trust e-mail communications."

You Can't Wait for Sender Authentication

One reason phishing e-mails are so convincing is that more than 90 percent of them forge the "from" line so that the message looks like it's from the spoofed company. If e-mail gateways could verify that messages purporting to be from, say, Citibank did in fact originate from a legitimate Citibank server, messages from spoofed addresses could be automatically tagged as fraudulent spam and thus weeded out. (Before delivering a message, an ISP would compare the IP address of the server sending the message to a list of valid addresses for the sending domain, much the same way an ISP looks up the IP address of a domain to send a message. Litan calls such enabling technology the equivalent of caller ID for the Internet.)

Although the concept is straightforward, implementation has been slowed because the major Internet players have different ideas about how to tackle the problem. Microsoft developed a real-time address verification standard known as Caller ID, while EarthLink and AOL have been pushing the Sender Policy Framework (SPF) approach. Yahoo came up with a third standard, called DomainKeys. In May, the Caller ID and SPF standards merged into Sender ID. A month later, AOL, EarthLink, Microsoft and Yahoo agreed to test each other's standards. Although antiphishing advocates are cheered by this level of cooperation, it will take at least a year - and possibly as long as five to seven years - before all the details are ironed out and the standard is implemented. That implementation requires upgrades to Internet domain servers, e-mail and browser software.

"The only downside is that every mail server in the world has to get upgraded," says Jevans. "How long is that going to take?"