Phishing, an online fraud aimed at gullible users, is now hurting enterprises' reputations and bottom lines.
"Phishing is a rapidly growing problem not just for consumers, but for enterprises as well," Matthew Moynahan, vice president for consumer products and solutions at Cupertino, Calif.-based Symantec Corp., testified at a recent California Senate hearing. "It is negatively impacting the way companies do business with their existing customers and threatens to damage consumer confidence in conducting business over the Internet. This confidence is critical to the continued growth of e-commerce."
A phishing scam can weaken a company's credibility and diminish the value of its brand. Another big issue for enterprises: e-mails making their way into corporate networks, gleaning passwords and account information, employees' personal information and confidential corporate data.
"Corporates stand to lose proprietary data because these scams can be perpetrated while employees work, harvesting corporate IDs and passwords, for example," said Frank Liddy, managing partner at Blue Bell, Penn.-based Unisys Corp.
In a white paper for Unisys, Ori Eisen, CEO and president of Phoenix-based The 41st Parameter, reported an increased use of key-logging malicious software and Trojans that transmit the information back to an attacker. Phishing scams have made use of these tactics in both by exploiting software flaws and by providing links that download these programs when clicked.
And no longer are phishing scams targeting only clueless users. What used to consist of e-mail messages written in broken English has made the transition to highly polished copy that uses browser flaws to redirect Web traffic to spoofed sites, said Alfred Huger, senior director of engineering at Symantec Security Response.
A study in May by the Anti-Phishing Working Group (APWG) found that by hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince up to 5% of recipients to respond to them with personal information. APWG reported "unique phishing attacks have been growing at 110% per month, over the last six months, from 28 originally reported in November 2003 to 1,125 reported in April 2004. This represents an almost 4,000% growth over the past six months."
According to a survey conducted in July by Insight Express for Symantec only 27.9% of Internet users are familiar with phishing scams and 43.5% of respondents receive unsolicited e-mails requesting personal information several times a day. More than 44% of respondents believe they've visited a fraudulent Web site, while 19.3% said they had definitely done so. Insight Express said the 300 total responses have a 95% confidence level.
The Gartner Group reported similar findings. It estimated that in the last year, 57 million U.S. adults received phishing e-mails, of which 11 million clicked on the provided links, and 1.78 million provided passwords and other sensitive personal information. In total, the scams resulted in fraud losses of $2.4 billion.
Huger believes that policy is the best place to combat phishing. "Educating customers about how their information will be used, what kind of account questions will be asked and what method of communication will be used will go a long way toward mitigating the problem," he said.
Vincent Weafer, senior director of Symantec Security Response, agreed and offered a few additional recommendations for enterprises concerned about protecting their reputation. "Enterprises should look into setting up 'honeypot' e-mail accounts to trace phishing attacks that use the company's name," he said. "In the event that a phishing attack is discovered, enterprises should immediately notify authorities and customers. If a Web site is involved, they should request that the host ISP remove the site."
U.S.-based enterprises can contact their local FBI office or FBI Internet Fraud Complaint Center and the Federal Trade Commission. Companies in other countries can contact the national law enforcement agency that manages consumer fraud.
This article originally appeared on SearchSecurity.com.