Phishing: The new face of fraud

When banks began touting online banking roughly a decade ago, one of consumers' biggest concerns was security.

Gradually the public became assured enough about transferring funds and paying bills online that by last year, 44 percent of Internet users had tried online banking, according to a survey by the Pew Internet & American Life Project.

Now a scam called "phishing" threatens to undermine the trust banks have built about online banking.

Although most fraud against bank customers still happens through stolen wallets and other traditional methods, phishing is a criminal trick aimed at anyone with an e-mail account. With phishing, criminals send mass e-mails posing most often as messages from financial institutions and asking people to provide private information to bogus Web sites that appear to belong to a bank.

The e-mails reach many people who are not customers of the bank or other company being faked, but the idea is to reach some customers and hope that a fraction of them respond.

Many of the e-mails include official-looking logos and authoritative-sounding messages. A recent phishing scam targeted Washington Mutual customers with the promise that if they updated their personal records at the link provided, they would have no future problems with online service. There was also a threat that if they did not update their data within 48 hours, "your ability to use your online account will be restricted."

Banks worry that the intrusive e-mails will scare people away from online banking, which has become a convenient and inexpensive way for banks and customers to interact.

"Most banks spend more on washing windows than on money lost to phishing," said Jim Bruene, editor of the Online Banking Report, a Seattle-based newsletter. "But it is a huge issue in consumer confidence and the ability of a bank to market online and deal with a customer on the Internet."

Vast network of fraud

Phishing is one element in a vast criminal enterprise that can lead to identity theft and, ultimately, fraud involving checking accounts, credit cards and even home mortgages. Victims tell stories of painstaking months spent correcting damaged credit reports. Financial institutions, as well as retailers and e-tailers, have lost money to new and constantly morphing forms of electronic identity theft.

Larry Ponemon, founder and chairman of a research and consulting company in Tucson, Ariz., that specializes in privacy issues in the financial industry, knows of one victim who provided her debit-card number and PIN to phishers who began to steal small amounts from her account.

"Finally, someone said, 'Let's rob her blind,' and decided to clean out her account," Ponemon said.

Only a small percentage of targeted recipients take the bait. That's because many who receive such e-mail do not have accounts at the institutions being faked, and others have been alerted about phishing.

A study by the Ponemon Institute last fall found that about 16 percent of Internet users surveyed had given information to a bogus site. About 2 percent reported losing money because of it, with the average loss at $115.

Younger people were most likely to give data to a fake site, the study found. "They had a much more cavalier attitude," Ponemon said. "It could be that they don't have big bank accounts yet."

Estimates about how much money is lost to phishing vary, but most researchers agree it represents a small portion of overall consumer-fraud losses.

A phone survey released in January found that 1.7 percent of all identity-fraud cases could be traced to phishing. The average take was $2,320, considerably less than the overall average fraud loss of $5,686, according to the survey by the Better Business Bureau and Javelin Strategy & Research in Pleasanton, Calif.

Almost 29 percent of the identity fraud found in the phone survey came from lost or stolen wallets, checkbooks and credit cards.

"We're not saying there's not a real risk, but it's overhyped," said James Van Dyke, Javelin's founder.

Theft is more difficult now

It is difficult for most criminals to steal even after they gain access to accounts, particularly now that banks have caught on to phishing tactics.

In the early days of phishing for bank information, criminals used bill-payment systems to send money to themselves, said Avivah Litan, an analyst at Gartner. Most have stopped doing that because it is easily traced.

Now, once they have account data, they sometimes look in online accounts for images of canceled checks and use that information to create forged checks, something just as easily done by stealing someone's checkbook, but without the risk of being chased down the street.

The fraudulent e-mails and their Web links have stepped up requests for debit-card numbers and PINs, Litan said. And they ask for Social Security numbers, dates of birth and other information that can be used to create an identity with a combination of data from various individuals.

The few bank customers who type in their user names and passwords end up feeling violated, because they have unwittingly given criminals access to their accounts.

The small percentage of accounts that phishers ultimately crack make the scam lucrative enough to keep it up.

Growing Web presence

Phishing Web sites grew from about 161 in early October to 948 at the end of January, with about 80 percent mimicking financial-services sites, according to an industry association called the Anti-Phishing Working Group in Cambridge, Mass. The average phishing site is online for less than a week.

"It's virtually an epidemic, and it would be appropriate for them (banks) to become more proactive," said John Soma, executive director of the Privacy Foundation and a professor of law at the University of Denver.

He thinks banks should do more to alert potential victims, such as writing customers a letter warning them about phishing.

Dave Cullinane, chief information-security officer for Seattle-based Washington Mutual, the nation's largest thrift, agrees that "the best way to make it stop is by educating customers."

Phishers began targeting WaMu in earnest last October. "We search the Internet to find fraudulent sites and are working with a vendor that helps us shut them down," Cullinane said.

WaMu's vendor has international connections that can reach the owner of even a small Internet service provider halfway around the world to convince them that a site needs to be shut down.

Like other financial institutions, WaMu attempts to find the perpetrators and works closely with law enforcement. Company officials declined to discuss whether their efforts have led to prosecutions and said that penalties for this type of fraud depend on the country where the crime occurs, what can be proved and other factors.

The Washington House of Representatives this month passed a bill that would strengthen penalties against phishing.

WaMu displays a prominent alert on its home page warning about e-mail scams. Like many banks, it tells people never to disclose confidential information online or by phone unless the customer initiates contact.

Few customers "hooked"

Despite the onslaught of phishing, consumer fraud at WaMu has remained fairly flat, officials said. The thrift figures that a fraction of 1 percent of its customers give away personal information when they are phished.

Recently, phishing has begun to target smaller community banks, even though the chances of reaching their customers in a mass e-mail is slimmer, said Michael Jackson, associate director in supervision and consumer protection at the Federal Deposit Insurance Corp.

"At the beginning of 2004, phishing was relatively unknown," he said. "By the end of '04, it had become more sophisticated, and the population it went out to was very broad."

Melissa Allison: 206-464-3312 or mallison@seattletimes.com