Online Fraud
These days, computer users are online not only for longer periods of time and more frequently, but they are also conducting more important transactions via e-mail and the Internet. Activities like banking online, trading stock, purchasing products and services, and managing personal accounts through Web sites are becoming more common. While the Internet makes conducting such activities more convenient, it has also opened up a new form of fraud that scammers are taking advantage of in increasing numbers. As a result, online fraud is becoming a growing problem — not only for consumers but for enterprises as well.
What is online fraud?
Online fraud is the act of using the Internet to steal personal information or money from computer users. There are different types of online fraud, such as phishing attacks, spyware, Trojan horses and key loggers, online money scams, and computer dialers.
Is online fraud really an issue that computer users are concerned about?
The majority of consumers who use computers and the Internet are concerned about online fraud. A July 2004 survey conducted by Symantec and Insight Express found that 42.5 percent of respondents are very concerned about online fraud and 50.8 percent are somewhat concerned.
What's more alarming is that the majority of respondents have changed the way they use the Internet because of their concerns about online fraud. About 35 percent of people surveyed have definitely changed the way they use the Internet, and about 44 percent of respondents have somewhat changed their online behavior.
Phishing seems to be the most recent form of online fraud that is causing concern among consumers and enterprises. What is phishing?
Phishing is an online scam where fraudsters send millions of e-mails to random accounts. The e-mails appear to come from popular Web sites or from the consumer's bank, credit card company, e-mail provider, or Internet service provider. The e-mails often inform consumers that the company needs personal information, such as their credit card number or password, to update their account. Many times, the e-mails include a URL link that takes consumers to what appears to be a legitimate Web site. However, the site is actually a fake or "spoofed" Web site. Once consumers are on this spoofed site, they are asked to enter personal information that is transmitted to the phisher.
How large is the problem of phishing?
According to the Anti-Phishing Working Group (APWG), by hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince up to five percent of recipients to respond to them with personal information (May 2004). In fact, Gartner, Inc. has found that an estimated 57 million U.S. adults have received a phishing e-mail within the past year (May 2004).
The problem is continuing to escalate. The APWG found that unique phishing attacks have been growing at 110 percent per month, over the last six months, from 28 originally reported in November 2003 to 1,125 reported in April 2004. This represents an almost 4,000 percent growth over the past six months.
How can consumers distinguish legitimate e-mails and Web sites from phishing attacks?
Consumers should review their bank, credit card, and other service provider policies regarding how they contact customers to update account information and passwords. Most companies won't do this via e-mail. If, however, consumers receive an e-mail that they think is legitimate, they should contact the company by phone or go to the company's Web site by typing in the correct URL directly into their Internet browser to confirm the validity of the request. Consumers who do end up clicking on a URL link from an e-mail should check the validity of the Web site by looking for the yellow lock icon on the bottom status bar. They should then double-click on the lock icon to display the security certificate. The name following "issued to" should match the site that they think they are on. If the name differs, it may be a spoofed Web site. For added protection, consumers should also compare the URL listed on the top of their browser to the one listed at the bottom of the status bar. The URL on the bottom status bar should have the URL of the site that they are really on.
Can phishing violate federal criminal laws? If so, why haven't more phishers been caught?
Since phishers use false and fraudulent statements to deceive people into disclosing personal data, phishing scams may violate a variety of federal and state criminal statutes. However, the challenge for law enforcement is to track down phishers, which can be difficult due to techniques they use to mask a phishing e-mail's origin.
Why should enterprises be concerned about phishing?
Phishing is an issue that affects both consumers and enterprises. Companies should be concerned about phishing because their customers's accounts could be compromised by these scammers. Not only can this cause financial harm to consumers, but it also hurts their business. The use of a company's name in a phishing scam can weaken the company's credibility and diminish the value of its brand.
Phishing e-mails are also making their way into enterprise desktops, which not only makes employees?personal information vulnerable to fraudsters, but it also opens up the possibility of confidential corporate data from being shared with phishers.
What can consumers do to protect themselves from becoming victims of phishing scams and other forms of online fraud?
Consumers can follow best practices like making sure security patches on their systems are up-to-date, using antivirus and antispam software with updated definitions, refraining from providing personal information to suspicious e-mails and Web sites, thoroughly reading End User License Agreements (EULA) when downloading programs or purchasing items online, and creating secure passwords that are changed frequently. Consumers should also try to report phishing scams that they receive via e-mail to the company that is being "spoofed" so that the company can close down the fraudulent Web site or report the phisher to authorities.
What can consumers do if they have been victimized by online fraud?
Consumers should act immediately if they suspect that they have been victimized by online fraud. First, they should file a police report and submit a copy to their creditors. At least one of the three major credit bureaus should be contacted so that a fraud alert can be placed on their credit file. Any financial accounts that may have been tampered with or opened fraudulently should be closed. In addition, they should monitor their credit card and bank statements for fraudulent charges. Consumers can also file a complaint with the Federal Trade Commission (FTC) by visiting www.ftc.gov or calling (877) FTC-HELP. The FTC's Web site also has an identity theft affidavit that consumers can fill out to dispute new unauthorized accounts.
What can enterprises that are concerned about phishers using their company name to launch attacks do to protect their brand and customers?
Enterprises can take proactive steps to protect their company and the consumers who trust their brand. First, they should define consistent policies for contacting customers via e-mail. These policies should be clearly communicated to employees and customers. Enterprises should also set up a contact point, whether it be an e-mail address, Web page or phone number, where customers can report fraud. In addition, enterprises should look into setting up "honeypot" e-mail accounts to trace phishing attacks that use the company's name. In the event that a phishing attack is discovered, enterprises should immediately notify authorities and customers. If a Web site is involved, they should request that the host ISP remove the site. Enterprises in the U.S. can contact their local FBI office and the FBI Internet Fraud Complaint Center at www.ifccfbi.gov and the Federal Trade Commission. Companies in other countries can contact the national law enforcement agency that manages consumer fraud.
