Phishing for Customers
Recently I received an email from my bank. It asked me to verify some minor account option, and gave me a link on which I could conveniently click to access their web site.
Now I should note that I am very much a “fraud-aware” computer user. Almost every day I get two or three emails from new friends in Nigeria or Sierra Leone who would like me to help them with lucrative if somewhat shady foreign exchange deals. Almost every week I win another lottery I didn't even know existed, and millions of dollars, pounds, and Swiss francs in unclaimed lottery winnings await me if I could just get round to emailing somebody with a few personal details.
So when the email arrived, I paid it more attention than most people. It claimed to be from my bank, but the mail headers indicated that another company I had never heard of had sent it. Some of the links in the email (it was in HTML) were to my bank, but others were to servers at the same mysterious company through which it was routed.
It didn't ask for personal details or ask me to verify my password. But it did ask me to take an action which would require that I logged in to my account. And there was the convenient HTML link apparently to the bank's website.
I was suspicious. I phoned the bank.
Was I the intended victim of a “phishing”scam, where someone impersonates a bank or other organization to obtain information and passwords?
I will return to that in a moment.
“Phishing” — extracting information (or money) from people by pretending to be someone else &mdash isn't exactly a new kind of con. For years, con artists have persuaded their victims to part with money by pretending to be bank officials — the “bank examiner fraud” where the con artist pretends to be a bank examiner trying to catch a dishonest cashier is something of a classic. The telephone made fraud somewhat easier: it's easy to pretend to be anyone you like on the phone. “Social engineering” has entered the lexicon for the use of this skill for computer hacking purposes.
It is the internet, however, that has really made this type of fraud much easier. Before, you needed to use an actual bank (or something which looked like a bank) to pull off the con. It took considerable time, effort, and personal risk to impersonate bank officials. Now it's possible to create a plausible replica of a bank's website in a matter of hours.
Email has changed the economics of the fraud. Instead of painstakingly selecting a victim, the fraudster can now email a million random victims for just a few dollars. It probably takes no more than one gullible person who happens to have an account at the right bank for the fraudster to make a profit.
The international nature of the internet has also made tracking and prosecuting criminals for this type of crime that much more difficult. No longer is the con artist physically present: he or she is on another continent. The websites used to perpetrate the fraud can be located in a different country, and may appear and disappear within the space of a few hours. The sheer frequency of such phishing expeditions makes law enforcement difficult.
Generally, approaches which involve sending a million emails will come to the notice of the company concerned fairly fast. In this case the numbers work against the perpetrator. It only takes one person to recognize the fraud and alert the bank for the bank to become aware of the problem. Since typically the emails are not sent just to the bank's customers (that would be too expensive) but to people who will immediately recognize the email as fraudulent, the chances are the bank will hear about what is going on almost immediately.
But what happens then? Can we tell if any customers have disclosed accounts and passwords to the fraudsters before we manage to persuade someone to shut the fake website down? We can't. Do customers know they have disclosed their passwords? Not if the fraudster is competent in what he or she does.
So if you are a bank, or have confidential accounts, how do you deal with the risk of phishing?
- Monitor for phishing emails. There are companies who will monitor junk email for references to your organization and alert you if your company name is mentioned.
- Train call center operators. Call centers must know who to contact if someone calls in with a report of a fraudulent email.
- Add a link to report fraudulent emails to your website. If I've received an obvious forgery of an email from a Citibank or an AOL, I need a way of reporting it without incurring long distance phone charges or hours on hold. Remember I might be in a different country on a different continent. My desire to spend money, time, or effort to help some corporation I've never heard of is probably somewhat limited.
- Show users where they last logged in from on your website. That way they can, if so inclined, check for unauthorized account use and alert you of the problem.
None of these will be particularly effective, because by the time the alert has been raised, and any website linked to has been shutdown, the fraud may well be complete.
Unfortunately, as with all con's, educating potential victims must be part of the problem solution.
- Don't send HTML emails. Send text. It may not look as pretty as your marketing department would like, but it works. In HTML I can make a link which looks like it is to http://www.whitehouse.gov/, but in fact isn't. I can't cheat as blatantly in text — although I can still put www.goog1e.com or www.e-bay.com or www.whitehouse.com in a text email and let an “intelligent” email program turn it into a link to the wrong site for me. (By the way, did you notice what was wrong with those well-known site names?)
- Never, ever ask users to click on a link in an email. Think about what you are training your customers to do if you do this.
- Make sure your users know about these policies. There's no point in having these policies if nobody knows about them.
- Don't break these rules. Never. No exceptions. If you break these rules, you are sending mixed messages to your customers.
Which brings me back to the suspicious email from my bank.
Was it a phishing attempt? No. It turned out be genuine. The bank had used a third-party email marketer to send email to all its customers. Links in the email were designed to check the effectiveness of the email, and were therefore to the marketing company, not to the bank.
The bank broke all the above rules.
What effect did sending out that email have?
- It taught its customers that emails that don't appear to be from the bank may actually be from the bank.
- It taught its customers to click on convenient HTML links in an email to access the banks website.
If the bank's more gullible customers subsequently respond to “phishing” emails, the bank has itself to blame.
I wonder if one day the bank will hear that argument used against them in court.