How Phishing Threatens Banks’ Efforts to Rely More on E-Mail

Only one-fifth of financial institutions are using technologies that can authenticate e-mail messages, even though phishing attacks disproportionately affect banks and even though banks say they plan to rely more heavily on the e-mail channel to reach customers, a new research report says. Meanwhile, phishing attacks are not only increasing, they're affecting a wider array of businesses, including smaller institutions, according to the report, issued this week by Aite Group LLC, a Boston-based researcher. The number of reported attacks in the 12 months ended last November exceeded 350,000, an increase of about 100,000 over the one-year period ended in November 2006, according to statistics from the Anti-Phishing Working Group cited in the study. In the fourth quarter, payment services and the financial sector attracted 48% of the attacks, with payment services alone accounting for 12%. “The increased precision of phishing attacks has meant that fraudsters have moved down the food chain, viewing smaller financial institutions, such as credit unions, as targets,” says report author Nick Holland in the report. Some 25,683 reports of phishing were received by the APWG in December, according to the most recent report from the consortium of software vendors, payments networks, and law-enforcement agencies. This is up from 23,787 in December 2006. In phishing frauds, criminals send out e-mail blasts dressed up to look as if they come from a reputable source. The e-mails warn recipients of an “issue” they need to address, such as changing a user name and password, and contain a link to a bogus Web site where unwary consumers can enter their credentials. The proliferation of phishing is widely seen as undermining the online channel for banking and commerce. Even brands that have not been victimized could suffer if their e-mail messages come to be disregarded by wary consumers. Just 20% of banks covered by the Federal Deposit Insurance Corp. use technology that can increase recipients' assurance that e-mail messages are legitimate, the report says, relying on survey data from the Authentication and Online Trust Alliance. By contrast, 51% of Fortune 500 consumer companies do. Such technology, for example, allows recipients to check whether a given e-mail message comes from a trusted Internet Protocol address. The report attributes this low level of adoption to phishers' tendency to use big-bank brands in an effort to ensnare as many consumers as possible. Still, this relative safety for smaller institutions may prove illusory. “Given that larger banks are savvier and doing a better job of educating end users of the threat, the low-hanging fruit lies in more targeted attacks against smaller banks and credit unions that have yet to have their collective fingers burnt,” says Holland in the report. At the same time, banks say they plan to rely more and more on e-mail to reach current and prospective customers, the report says. Some 94% of banks surveyed by Aite between January and March said they already used e-mail alerts or had plans to. The corresponding figure for banks using or planning to use banner ads in e-mails was 72%. Aite received responses from 18 of the 60 largest banks by number of checking accounts. While the banks report 12% of active users of online banking are enrolled to receive alerts, they expect nearly one-third to be enrolled by the end of 2009. Such plans may run into problems as phishing attacks continue to proliferate, the report suggests. Seventy-eight percent of banks in Aite's survey report they are worried about phishing attacks, despite some success enjoyed by larger institutions in educating customers about the problem. “The fly in the ointment remains phishing as a means of undermining both e-mail and Web channels,” Holland says in the report. “Even for institutions that feel comfortable regarding their control of the e-mail channel, the uncontrollable nature of phishing looms over all such initiatives.”