Hook, line and sinker: life insurers and their policyholders could be the next targets of online phishing scams.
These fraudulent e-mails are being sent as part of phishing scams that are sweeping the nation. Like the recreational sport in which fishermen enjoy the lure of catching fin-tailed aquatic vertebrates, the fraudulent practice of phishing is also out to lure--but in this case the targets are unsuspecting victims asked to divulge personal information. Within minutes, phishers can con individuals into fraudulent Web sites, steal their account information and forge checks, transfer funds or make purchases. Webopedia defines phishing as "the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft."
In 2004, phishing attacks were up 4,000%, costing consumers up to $1.5 billion, according to a CBS News report. Banks, credit card companies, Internet service providers and online auctions have been among the hardest hit industries thus far, but some industry experts believe insurers and their clients are potential targets.
Investment product Web sites may be just the lure phishers are looking for, and some life and annuity writers are taking action to prevent such events from happening. Many not only are protecting their internal systems, but also are looking to launch educational campaigns via mail and company Web sites to inform customers, consumers and associates about the potential dangers that lurk in the murky waters of phishing.
Phishing is the newest scam to hit the identity theft arena and is becoming what Microsoft Corp. calls "the fastest-growing form of online fraud in the world today."
Companies are concerned that phishing will take a toll on consumers' confidence in conducting business online. "This is something the financial industry fears the most because it will keep people away from the online channel and drive them to more expensive channels, such as call centers," said Avivah Litan, a research director for Gartner. Companies may incur costs of $12 to $15 per call into a call center, as opposed to just pennies for interaction via the Internet, she added.
"We're just at the point where customers, agents and consumers are comfortable doing business over the Web, but these attacks can only hurt you, particularly if consumers lose trust in e-commerce," said Kevin Murray, chief information officer for Axa Financial. Therefore, it's important that companies implement strategies that authenticate themselves to consumers and customers.
In a recent poll of more than 5,000 U.S. adult online users, Gartner found that 57 million Americans have been, or think they have been, the victim of a phishing attack. In all, 30 million were positive, while 27 million weren't sure. About 19%, or 11 million, of those attacked fell for the seams and said they'd clicked on the link in the phishing e-mail. Almost 2 million, or about 3% of those attacked, reported that they actually divulged sensitive information, such as credit card numbers, by filling in a form on the spoofed Web site.
"I'm afraid that unless something is done globally, which is going to be very difficult to do, these phishing, virus and malware attacks may be the death knell of the Internet as we know it today," said Timo Kokko, vice president of information technology support services for Jackson National Life Insurance.
Litan sees a similar trend. While the 20% annual growth rate of online sales continues to decline, Litan believes the numbers could bottom out even faster because of phishing attacks. She estimated that by 2007, growth of U.S. e-commerce may slow to 10% or less.
But consumer confidence isn't the only damage phishing causes--the attacks also are generating lost dollars. Gartner said that about $1.2 billion was lost by phishing victims in 2004, although it wasn't clear how much of that loss was directly attributable to phishing attacks. Companies also are feeling the effects. "Today alone we received more than 200,000 spam messages" said Kokko. "Industry research says that spam costs about $1 per spam, so that would have cost us $200,000 in just one day had we not had an active anti-spam program."
Reeling Them In
Corporations such as Citibank, eBay, AT&T, Amazon.com and Earthlink have been targeted by phishers over the past several years. While insurers have remained relatively unscathed from the seams thus far, some industry experts believe that soon may change.
"The motivation behind phishing is fraud, but will this impact more than just banking? There is talk in the industry that investment, insurance and retail are areas that could be the next potential targets," said Wen Tseng, vice president of corporate information security for Washington Mutual.
Phishing concerns among life and annuity writers are across the board, said Todd A. Silverhart, assistant vice president and director of technology in marketing and distribution research for Limra International. While some carriers don't view phishing as a threat, others are monitoring for suspicious activity in their spam filters and e-mail systems, and some that are most concerned are being much more proactive in guarding against potential attacks. "The general overall feeling is that there's not a huge threat now but, as the amount of e-commerce transactions increase, so will the potential liability," Silver hart said.
In addition to securing their internal systems and firewalls to prevent becoming a beacon for phishers, some life and annuity insurers and most financial institutions are educating, or plan to educate, customers and employees about the pitfalls of phishing through mailings and company Web sites. Jackson National Life Insurance, for instance, is seriously considering placing a phishing alert on its Web site home page for consumer education.
"Financial institutions are really starting to think about this now and recognizing that they don't have a ready solution against it." said David Cameron, vice president of marketing and product integration for Burlington, Mass.-based AptSoft, an enterprise software company. "For many, their first line of defense has been education."
Washington Mutual has taken its education to the Web. Along with other security tips on its Web site, the company provides a definition of phishing, what consumers should look for to spot a scam, how to decrease their risk of becoming a victim, how to report an online scam, a list of recent phishing attacks and where to seek further information about the scams.
Because phishing also may hit a business within its own walls, some companies are making employee education part of their anti-phishing initiative. "We're just getting to the stage where we're saying to people that it's fine to make security tight, but when such a large proportion of security breaches come from within an organization, you have to link security and technology with what people are doing and how you are defining and running the policy," said Andrew Kellett, senior research analyst with Buffer Group, a European independent IT research and analysis company and a wholly owned subsidiary of Datamonitor plc. "People have to understand what their responsibilities are within the organization, so they don't give out passwords to anyone or provide third parties with information from within the company unless they've been cleared or it's written down in a policy."
Fighting the Phishers
Technology plays an important role in the fight against phishers. AptSoft Director, for example, uses complex event processing technology to track fraudulent activity. Most anti-fraud systems focus on transaction activities such as counterfeiting and credit card theft, but phishing involves benign, nontransaction events, including legitimate activities such as opening a new credit card account or changing a password--events not typically detected by anti-fraud technology, said Cameron. AptSoft Director tracks repeated patterns of activity and outcomes for the same entity over time and automates a coordinated reaction to those deemed suspicious.
Other technology solutions and techniques also are being used to guard against phishing scams, said Litan. Several such solutions include back-end financial account takeover and fraud detection, content filtering and URL analysis, internal Web site analysis, customer authentication, device and network authentication, anti-spyware, brand monitoring, customer alert tools, comprehensive anti-phishing services and caller ID from the Internet.
Opinions differ on who ultimately must take responsibility for preventing phishing. "Financial institutions are now beginning to recognize that phishing is becoming not just the customer's problem but also the institution's problem," said Cameron. Although Congress hasn't yet acted on corporate accountability for identify theft, he added, there is increased pressure coming from states to make institutions accountable. "It's likely that in the future, institutions won't just be able to blame the consumer for falling for these scams. Instead, institutions will have to be more proactive in defending against the use of stolen identities to commit fraudulent transactions."
One U.S. senator, however, has drawn Congress into the fray. On Feb. 28, Sen. Patrick Leahy, D-Vt., who is sometimes referred to as the "cyber senator," introduced a bill to specifically outlaw phishing. If passed, the Anti-Phishing Act of 2005 would allow for a five-year jail term and a free of up to $250,000 for anyone convicted of phishing or the related practice of pharming, in which users are illegally redirected to fraudulent Web sites. The bill is similar to the CAN-SPAM law, signed into law in 2003, which establishes a framework for consumers, businesses and families to combat unsolicited commercial spam.
In March, software giant Microsoft filed 117 federal lawsuits against unnamed defendants, accusing them of phishing. Through the "John Doe" lawsuits, filed in U.S. District Court in Washington state, the company attempted to establish connections between worldwide phishers and discover the largest- volume operators, according to a CNN report.
Many national insurers are members of BITS, a nonprofit, chief executive officer-driven financial-services-industry consortium whose members are 100 of the largest U.S. financial institutions. The organization's mission is to leverage the intellectual capital of its members, fostering collaboration to address emerging issues where financial services, technology and commerce intersect.
Phishing is one focus of the BITS Fraud Reduction Program. The Fraud Reduction Steering Committee has a number of working groups that explore various areas including phishing, identity theft, loan fraud and legal and regulatory issues. In addition, BITS recently built a Phishing Prevention and Investigation Network. The Network has a three-fold goal: to share information with institutions in order to get phishing sites shut down quickly, to share information with law enforcement so they have access to the information to catch and prosecute fraudsters, and to share information on domestic and international Internet service providers and Web administrators so institutions know whom to call when a phishing attack occurs, said Robin Slade, senior director of BITS.
In spite of numerous efforts to find them, phishers are not an easy catch. Only about one in 700 phishers are caught, said Gartner's Litan.
* A growing number of phishing seems are targeting individuals to obtain personal information.
* Phishing attacks were up 4,000% in 2004, costing consumers up to $1.5 billion.
* Insurers haven't been directly hit by phishing seems, but some industry experts believe they and their customers may become targets.
* Companies are relying on education and technology to ward off phishers.
Inside the Tackle Box: Phishing Facts
2,625 Number of active phishing sites reported in February 2005 to the Anti-Phishing Working Group
United States Country hosting the most phishing Web sites i
5. 7 days Average time online for phishing Web sites
58% The number of individuals who shop, bank or pay bills online, who say they're concerned about the I safety of their online information'
Feb. 28, 2005 The date the Anti-Phishing Act of 2005 was introduced by Sen. Patrick Leahy, D-Vt.
Citibank Organization most targeted by phishing attacks
$1.2 billion The amount of loss U.S. banks and credit card issuers suffered in 2003 due to identity theft fraud
1996 The year the word "phishing was coined
57 million Number of U.S. Internet users who said they have been targeted by phishers Source: Anti-Phishing Working Group, Gartner Inc., Symantec Corp.
A School of Other Threats
Many in the industry believe the phishing season is far from over. Phishers continue to become more sophisticated and clever in their methods, said Timo Kokko, vice president of information technology support services for Jackson National Life Insurance. In fact, evidence suggests that some attacks are backed by organized crime. In addition, national laws won't completely resolve the problem. A growing number of phishing attacks are now being made across international boundaries from such countries as China, Korea, Brazil, Germany and Japan.
In addition, phishers may target more than individuals' e-mails. Pop-up ads, blogs and instant messages are other forms of e-commerce communication starting to be used to lure online users into phishing scams. Phishing now is beginning to morph into spyware, said Avivah Litan, a research director for Gartner.
"Social engineering techniques are getting much better now, so crooks understand consumers are aware of certain kinds of attacks so they're using other techniques, such as sending e-mails saying they've won the lottery or offering pharmaceuticals, to entice them," said Litan. Social engineering is the practice in which an attacker uses human interaction or social skills to obtain or compromise information about an organization or its computer systems.
But while phishing continues to grow, many companies believe other concerns may wreak even more havoc on the industry. Pharming and keylogging are among those concerns.
Some industry experts call pharming the new phishing. Pharming differs from phishing, however, because it's real-time and affects everyone who attempts to visit a targeted site. In March, at least 1,300 Internet domains were reported to be redirected to compromised Web servers in pharming scams, according to the SANS Institution, which provides information security training and certification.
Keylogging scams also are becoming more rampant. In keylogging, software is used to record keystrokes made on a computer, often to steal passwords. "To me, that's more dangerous because now you can get into my bank account, my password, see recent activities, funds transfer ... and that becomes a very serious thing," said Kevin Murray, chief information officer for Axa Financial. "People don't realize how easily they can be targeted if they simply click on the wrong Web site or URL."
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Technology: IT Security|
|Date:||Jun 1, 2005|
|Previous Article:||Under the gun: Sarbanes-Oxley compliance requires significantly more investment than public insurers anticipated. Now mutuals may have to comply as...|
|Next Article:||Coming back strong: sales of last-to-die life insurance rebounded greatly in 2004, fueled by estate-tax uncertainty and old-fashioned industry...|