These days, computer users are online not only for longer periods of time and more frequently, but they are also conducting more important transactions via email and the Internet. Activities like banking online, trading stock, purchasing products and services, and managing personal accounts through websites are becoming more common. While the Internet makes conducting such activities more convenient, it has also opened up a new form of fraud that scammers are taking advantage of in increasing numbers. As a result, online fraud is becoming a growing problem - not only for consumers but for enterprises as well.

Due to the nature of their business, banks and financial institutions are the prime targets of online fraudsters. Online fraud is the act of using the Internet to steal personal information or money from computer users. There are different types of online fraud, such as phishing attacks, spyware, Trojan horses and key loggers, online money scams and computer diallers.

One of the latest schemes that targets online banking and transactions and is called phishing.

Phishing is an online scam where fraudsters send millions of emails to random accounts. The emails appear to come from popular web sites or from the user’s bank, credit card company, email provider or Internet service provider. The emails often inform users that the company needs personal information, such as their credit card number or password, to update their account. Many times, the emails include a URL link that takes consumers to what appears to be a legitimate website. However, the site is actually a fake or “spoofed” website. Once consumers are on this spoofed site, they are asked to enter personal information that is transmitted to the phisher.

The problem is continuing to escalate. According to Symantec Corporation, the monthly volume of phishing emails increased nearly 10 times during the past nine months to 3.1 billion emails worldwide in April 2004. This equates to 1 in 20 emails sent. At the same time, Gartner reported in May 2004 that if phishing attacks continue it will have a serious impact on e-commerce and online transactions in general.

Why should enterprises be concerned about phishing?

Phishing is an issue that affects both consumers and enterprises. Companies should be concerned about phishing because their customers’ accounts could be compromised by these scammers. Not only can this cause financial harm to consumers, but it also hurts their business. The use of a company’s name in a phishing scam can weaken the company’s credibility and diminish the value of its brand. Phishing emails are also making their way into enterprise desktops, which not only makes employees’ personal information vulnerable to fraudsters, but it also opens up the possibility of confidential corporate data from being shared with phishers.

Concerns about falling victim to phishing scams are eroding consumer confidence in online banking and e-commerce. A recent survey in the United States found that three in four consumers said they were less likely to shop online because of phishing. 75 percent are less likely to respond to an email from their bank and over 65 percent said they were less likely to sign up or continue to use their bank’s online services as a result of fraud fears. Only 30 percent were confident that they could distinguish between a real email and a fraudulent one.

Unless companies take action to protect their customers from phishers Gartner predicts that the recent growth in online sales, 20 percent annually, will halve by 2007. Many banks are now focusing on fraud prevention and detection due to the growing trend in electronic fraud.

What can enterprises do to protect their brand and customers?

Enterprises can take proactive steps to protect their company and the consumers who trust their brand. First, they should define consistent policies for contacting customers via email. These policies should be clearly communicated to employees and customers. Enterprises should also set up a contact point, whether it be an email address, web page or phone number, where customers can report fraud. In addition, enterprises should look into setting up “honeypot” email accounts to trace phishing attacks that use the company’s name. In the event that a phishing attack is discovered, enterprises should immediately notify authorities and customers. If a website is involved, they should request that the host ISP remove the site.

Other consistent corporate policies to consider are:

• Don’t include embedded hyperlinks in any company emails to customers
• Avoid email forms as phishers can use these to collect personal customer information
• Use digital signatures so customers can automatically verify a genuine email
• Communicate these policies to customers and employees on a regular basis to reinforce the message
• Personalise all emails to customers
• Register domain names that are similar to your own so that these are not available to phishers e.g. mybank.com, mybank.com.au, mybank.co.nz, mybankltd.com, mybankonline.com, mybanksecurity.com.

Another way enterprises can protect themselves is to provide their customers with secure online commerce facilities. To help enterprises to protect their gateways, they should:

• Use antivirus filtering to stay protected from phishing attacks which may contain malicious code such as Trojans and keylogging software
• Install antispam filter to prevent phishing emails from reaching users
• If an organisation knows of a phishing website use content filtering to block access to the site from network - this protects network users from accessing phishing sites
• Block delivery of sensitive information to malicious websites to prevent employees from divulging sensitive personal or company information to phishers.

Educate your customers

Effective security management is done through a combination of right technology, experienced people and proven processes. Educating your customers is therefore key to combat the rising number of online frauds. Banks, financial institutions and online retailers should therefore advise their customers to:

• Always access Internet banking by typing the bank’s address into your web browser. Never go to a website from a link in an email and enter personal details. If in doubt, contact the bank separately by phone.
• Keep passwords and PINs safe. Be wary of unsolicited emails or calls asking you to disclose any personal details or card numbers. Keep this information secret. Your bank or the police would never ask you to disclose your PIN or password information.
• Don’t be conned by emails offering you the chance to make some easy money. If it looks too good to be true, it probably is.
• Use up-to-date antivirus software, security patches and a personal firewall.
• Check your bank’s website as it will have information about how to stay safe online.
• Check your bank statement. If you notice something irregular on your account contact your bank immediately.

What happens next?

A useful reference site is the Anti-phishing Working Group which is an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing. The organisation provides a forum to discuss phishing issues, trials and evaluations of potential technology solutions and access to a centralised repository of phishing attacks. Further information is available at www.antiphishing.org.

Failure to take action against online fraud can be costly resulting in financial loss and customer confidence, not to mention legal liability. In the ever-increasing threat environment today, enterprises can’t afford to settle for less. There are plenty of phishers trawling for victims on the Internet. Don’t let your enterprise or your customers get caught in the net.