Fresh phish causes a stink for online banking users

12 May 2008

Internet phishing scams are at an all-time high and Irish banks are being targeted more closely than ever by fraudsters looking to make easy money.

This year alone, several online banking customers in Ireland have had money stolen from their accounts by criminals. The worrying thing is, fewer than half of all home internet users in this country know what ‘phishing’ even means.

The scam involves criminals sending emails that are designed to appear as if they are legitimate messages from a bank which ask for the recipient’s confidential password and login details – something a real bank would never do.

People who divulge their codes are at risk of having their accounts accessed and money stolen. This year has seen a marked increase in frauds specifically aimed at customers of Irish banks including AIB, Bank of Ireland, Ulster Bank and Permanent TSB.

Many of these emails are detected by or reported to the banks, but some are slipping through the net and some people have lost significant sums of money to internet fraudsters.

Bizarrely, a report from the respected security software firm RSA claimed Irish banks appeared as phishing targets for the first time last month. It’s puzzling because it’s a documented fact that Irish banks have been subject to phishing attempts since 2004.

Two years ago in one of the most successful online frauds to date, several Bank of Ireland customers had around €140,000 stolen after they revealed their bank details to email scammers.

This year alone, as overall phishing levels increase, AIB has already issued five separate public warnings on its website about attacks. “The number of attacks has certainly spiked this year,” confirmed Sean Jevons, head of e-channel development with AIB.

“We have had a small number of incidents where funds have been taken out of accounts.” Although he did not mention specific cases, Jevons said some accounts had four-figure sums withdrawn. Putting the figures in context, he said AIB has more than 500,000 internet banking customers and fewer than 20 had money stolen through phishing.

Permanent TSB’s worst fraud-related incident took place in January. Up to 40 bank customers of the bank’s office in Ballincollig, Co Cork were defrauded to the tune of around €40,000. Thieves were able to take the money having gained access to information about the customers’ laser cards, said Ray Gordon, a spokesman for Permanent TSB.

In both instances, the banks covered the cost so customers were not out of pocket, but understands the policy across most Irish banks is to evaluate phishing incidents on a case-by-case basis.

Understandably, the banks are also stepping up security to close down potential avenues of fraud. Last year Ulster Bank issued free ATM card readers to online banking customers. Without this equipment, phishers would not be able to move money from an account. The bank said it took the step specifically to prevent identity theft.

Permanent TSB has made a significant investment in security controls, through a combination of systems developed in-house and bought from product suppliers.

“We have quite sophisticated security software to identify unusual patterns of behaviour,” said Gordon, adding that this was what happened in Cork. He said that although the number of phishing attacks is increasing, “we’re better equipped to deal with them than maybe we were previously”.

However, as banks heighten security around their online services, the latest scams have become more sophisticated and the emails ask users to reveal additional details that could help thieves. AIB had previously introduced a code card as an extra level of security for making money transfers between accounts.

“Traditionally, we would have had phishing that went nowhere – the attackers got in to the account, but there was nothing they could do. This year, they’re looking for people’s code card digits,” Jevons said. “Thankfully most people look at those messages and say: ‘This is suspicious’.”

The problem is, not everyone will be so wary. Awareness of phishing is still relatively low in Ireland. According to research carried out by iReach for the makeITsecure campaign, only 44pc of Irish people said they understand or fully understand the term, with 7pc unsure and 34pc saying they don’t understand.

In addition, 60pc of people polled said they don’t use any kind of filtering software to protect against phishing. It must be said, this is an improvement on the last time a similar poll was conducted two years ago when just 31pc said they knew what phishing was.

Jevons emphasised that, relative to other forms of banking, online is very safe. He said AIB is constantly evaluating ways to make its internet service more secure. “The best protection is consumer awareness. If someone asks ‘How can I tell a real email from a fake email?’, we say: The fact that you’ve got an email is wrong.”

Customer vigilance becomes even more necessary because the nature of the crime makes it very difficult for police to catch the perpetrators.

“It’s a diversified, growing criminal enterprise that lives on the internet. It’s very innovative and it’s getting more ambitious,” said Peter Cassidy, secretary general of the Anti-Phishing Working Group in the US.

“Law enforcement is hampered from getting their hands on the guys who do this because the crimes by definition are trans-national. The difficulty is twofold: pursuing crimes over international frontiers and collecting data to see what crime is happening. As few as 28 gangs are responsible for almost all phishing attacks we see, but there’s a cloud of email and messaging activity and it’s really difficult to see which activity belongs to whom and to form a case.”

At a local level, Jevons said the annual makeITsecure awareness campaign needs to be more forceful in telling the public that phishing scams are a criminal activity.

“This is organised crime and they go to great lengths to generate these emails,” he said. Jevons called on makeITsecure’s organisers to use a harder-hitting message that would be a powerful deterrent to having people take bank emails at face value. “What the campaign hasn’t done is to take the example of someone who has had money stolen,” he said.

“The education has got to continue and develop to a point where it’s part of the normal protocols and people understand there are some things that banks won’t do, like asking people voluntarily for passwords,” added Gordon.

Part of the problem, said Cassidy, is that the diversity of online banking systems makes it difficult to come up with a consistent message. “With the ATM, getting consumers to protect themselves was pretty simple: no one needs to know your credit card and no one needs to know your PIN. The rule is beautifully elegant,” he said.

“It’s hard to come up with a simple elegant set of rules that covers all of the online user experience.” That said, Cassidy is optimistic that the problem can be tackled. Some banks are now using very sophisticated tools to track activity on accounts and they can very quickly spot unusual patterns that could indicate phishing.

“Those systems will become standard practice in banks around the world,” said Cassidy. “Best practices will roll out which will close the window of opportunity for the phishers.”

By Gordon Smith