Online identity theft, known as phishing, has grown exponentially in recent months, and experts say that should concern marketers.
In October, 6,597 new, unique phishing e-mail messages were recorded. That was more than three times the number in August, for an average monthly growth rate of 36% since July, according to the Anti-Phishing Working Group's October "Phishing Activity Trends Report." An industry association, the working group is focused on educating companies about eliminating identity theft and fraud perpetrated by phishers and spoofers. Formed in October 2003, the group claims more than 1,000 individual members representing about 650 corporations.
Just last week, another group, led by Microsoft Corp., launched a collaborative enforcement process for netting phishers.
Called Digital PhishNet, the initiative is supported by a wide swath of stakeholders: America Online, Digital River, EarthLink, Lycos, Microsoft, Network Solutions, VeriSign, the Federal Bureau of Investigation, the Federal Trade Commission, the U.S. Postal Inspection Service and even the U.S. Secret Service.
law enforcement link
The PhishNet establishes a single line of communication between industry and law enforcement so that data from phishing attacks can be passed on to the authorities in real time. Members are expected to contribute to the phishing data repository by reporting phishing incidents and assisting law enforcement with active investigations.
"With the industry working so well to solve the problem together and creating solutions everyone can use, we're making it harder for phishers," said Mary Youngblood, customer security strategist at EarthLink.
EarthLink created a co-branded toolbar called Scam Blocker as one form of defense. The service, which is free, analyzes characteristics of a site's IP address and site content based on heuristics to determine whether it is potentially fraudulent or risky. It also runs the URL against a known list of fraudulent sites and blocks the phishing attack before it gets to the user's in-box. ISP EarthLink has a list of legitimate e-mail marketers, so-called "known good guys," to match against in-coming e-mail to EarthLink customers.
Big brand victims
Phishing has become a huge problem for a few very visible marketers. Citibank, eBay, PayPal and SunTrust bank are popular victims. In fact, 44 brands were hijacked by phishing campaigns in October, but the top 80% of campaigns targeted just six brands, according to the APWG report.
Although it seems to be most troublesome for that unlucky handful of marketers, phishing is or will become a problem for all marketers, experts say.
"All stakeholders in the industry need to understand we have got to solve this problem," said Dave Lewis, VP-deliverability, management and ISP relations at Digital Impact.
Part of that marketing danger is loss of confidence in the entire e-mail medium on the part of users. Lewis said customers are now wary about opening legitimate e-mail sent by "a company who has been phished a lot, like PayPal or eBay or Citibank." "They don't know whether they trust it," he said.
Others agreed. "If there's any loss of confidence in the medium then the whole industry suffers," Youngblood said. Dave Jevans, chairman of the Anti-Phishing Working Group and its founder, echoed that sentiment. "The biggest threat is that people won't trust any online marketing that they get," he said. "B-to-b marketers need to know how to send e-mail that doesn't look like phishing."
Quinn Jalli, Digital Impact's director of ISP relations and privacy, said phishing in 2003 managed to siphon $1.2 billion from its unsuspecting victims. What was a minor problem 12 months ago has ballooned tremendously, he said, adding that b-to-b marketers have already been the target of phishers.
"There are certainly targeted attacks at people who work at companies," Jevans said. "People are sending e-mails to that company, trying to steal access credentials within that company. There's a lot of concern in b-to-b because there are a lot of bank services and portals that could be vulnerable."
Phishers who targeted one company this past year were arrested and prosecuted in federal court. DealerTrack, a Web-based automotive financing processor that serves more than 24,000 dealers and over 90 banks and financing sources, was a victim of what is known as "lobster-pot phishing" in which phishers set up a fake site.
"They set up a Web site that looks similar and, rather than [phishing] through spam, they'll wait for someone to mistype a domain name ... or put it in search engines so that people link to it that way," Jevans said.
In doing so, they were able to get a dealer employee's password and gained access to DealerTrack to steal account information.
Jevans said phishers are also trolling for bank account information on corporations, which allows them to commit fraud against any kind of direct debit payment system. "It's hard to say on how big a scale, but it's certainly happening," he said. "We do see it."
Meanwhile, phishers are quickly becoming more sophisticated, experts say, finding new ways to separate people from their money electronically.
"Criminals have started partnering with hackers because there are financial gains," said Jevans. "There's much more planning and targeting. We're seeing a lot more convergence of phishers with people who write financial spyware and viruses."