Beware the "Phishermen" By David H. Press
hishing," or stealing financial and personal information from consumers by sending out millions of "urgent" e-mails and directing them to fake Web sites, is growing at an alarming rate.
When fraudsters go phishing, consumers receive an e-mail purportedly from a reputable company, such as a bank, directing them to the phisher's Web site, which looks a lot like the bank's site. The consumers are then asked on some pretext to submit, or resubmit, personal information. The phisher gets the unsuspecting consumers to divulge information including Social Security numbers, credit card numbers with CVV2 or CVC2 information, PINs, etc.
The crooks now have enough of the consumers' personal information to get additional credit card accounts and to use for other identity theft schemes. They can also use the information to initiate fraudulent transactions with merchants or convert the information to cash through collusive merchant accounts.
This becomes a big problem for acquirers. The transactions are not swiped, and the risk of loss will be passed on to acquirers through chargebacks. MasterCard International categorizes these under Reason Code 37 (Card Not Present) and Visa U.S.A. uses Reason Code 61 (Fraudulent Mail/Phone Order Transaction) or Reason Code 75 (Cardholder Does Not Recognize Transaction) to explain the chargebacks.
Phishing is scaring consumers away from using online banking and other sites such as AOL, PayPal and eBay. The public has reason to be nervous. According to a recent Gartner, Inc. survey, roughly 57 million Americans think they have received a phishing e-mail.
This is a relatively recent scam just beginning to emerge as one more way crooks in the 21st century take what doesn't belong to them. Seventy-six percent of the communications arrived in the past six months, with nearly all of them arriving in the past year. Phishing scams in April 2004 alone were up 180% from March (1,125 different scams vs. 402), according to the consumer advocacy organization, Anti-Phishing Working Group.
In one phishing expedition, consumers received e-mails claiming to be from www.regulations.gov, a site supposedly sponsored by the federal government to allow consumers to comment on legislation. The subject lines in the e-mails typically read, "Official information," or "Urgent information to all credit card holders!" The text in the e-mails claimed that recent changes in the law require Internet users identify themselves to the government to "create a secure and safer Internet community." The e-mails included a link to the regulations.gov site and asked readers to provide their personal financial information. (At press time, the site was still live.)
There have not been real technological solutions available to stop phishing, but it was one of the topics covered at MasterCard's Global Risk Management Symposium 2004, held June 21 - 24 in San Diego. During the conference, MasterCard and NameProtect, a digital fraud detection company, announced a partnership that will take a step in that direction. MasterCard will leverage NameProtect's technology to detect online scams in real time.
Still, most business-to-consumer e-mail and Web channels have not addressed this new and growing problem. Businesses with Web sites must strengthen trust in using the Internet by authenticating both service providers and consumers. User passwords don't do anything to verify a service provider's authenticity to the consumer. Further, it may not make sense to spend a lot of time and resources installing a system that attacks only phishing, because the crooks are sure to move on to a new form of attack.
Companies can use lists of known phishing or hacker sites to infer that those not listed are trustworthy. eBay makes use of such blacklists; the online auction site populates a toolbar with known phishing sites to warn users if they are at imposter sites.
eBay has also added another new feature to its tool bar. "Account Guard" helps users protect their eBay account information and warns users when they're on a potentially fraudulent (spoof) site. eBay users can report phishing sites at a specific Web site set up for that purpose.
But by the time a Web site is included on a blacklist, it may be too late, and lists like these do little to protect the most gullible and unsophisticated consumers. Companies that have fallen victim to phishers, including one with one of the most frequently phished sites, Citibank, and PayPal, offer security tips on their Web sites. Consumers can also visit the Federal Trade Commission's (FTC) Identity Theft Web site to file a complaint and learn more about how to minimize the risk of damage from identity theft.
Some experts say that in the long run, the Internet needs to incorporate a system to ensure the same level of trust that caller ID provides for telephone service. However, this would require changes in Internet infrastructure at the network, service provider and user levels.
Considering what they're up against, how do acquirers prevent and stop fraud? How much investigating should processors do before signing merchants? Three merchant processors recently took a hit in the case of Pharmacycards.com, an online business claiming to be legitimately selling discount drug cards. Instead, this fraudulent site actually used 90,000 checking account numbers to set up unauthorized debits from consumers' accounts.
Perhaps the processors could have discovered the Pharmacycards.com scam by simply checking out its Web site, or by contacting its "listed partners," including Wal-Mart Stores, Inc.; Eckerd Corp.; Target Corp. and Rite Aid Corp. Clearly, acquirers' underwriting departments need to be diligent and creative when approving Internet merchants.
It seems that fraudsters increasingly use the ACH network to enact their schemes. Though Pharmacycards.com used paper drafts (non-signed checks generally used for recurring payments) for most of the $3 million it debited from consumers' checking accounts, it also made use of the ACH for its fraudulent activities. The relative simplicity of using the ACH network makes it an easy mark for the fraudsters; not enough controls are built into the system to thwart fraud in Web transactions. Also, no mechanism is in place for validating Internet purchases by merely supplying account and routing numbers.
If something isn't done to stop this problem, either through involvement by government agencies or industry groups, banks may be forced to use stronger authentication such as smart cards, Universal Serial Bus tokens, or even biometric tools to validate and support their legitimate online customers.
David H. Press is Principal and President of Integrity Bankcard Consultants, Inc. E-mail him at dhp@integritybankcard.net, phone him at 630-637-4010 or visit www.integritybankcard.net .
|