Phishing Attacks Pose Heightened Threat'Spear-Phishing,' Risky Behavior and Poor Protections To Blame
The good news: most banking/security leaders are more aware of the risk management and security items they need to check off their to-do lists.
One area where they will inevitably spend investment dollars and time relates to the fight against phishing. Like most fraud, phishing attacks are increasing in number and sophistication. Banks know these are a problem, but fighting back is becoming increasingly difficult.
The number of phishing attacks launched on consumers has jumped from one or two a week to more than 70 per day.
According to our own research, phishing and vishing rank among the top three fraud threats banks and credit unions currently face. About half of the respondents to our Faces of Fraud Survey say phishing and vishing are major concerns. Interestingly, only 20 percent say they feel prepped to fight and prevent those attacks against their customers and brands.
Part of the concern stems from emerging channels, such as mobile, which are more often used to access online banking.
The Information Systems Audit and Control Association, better known as ISACA, also recently conducted a survey, with a focus on risky online behavior. ISACA finds that mobile browsing and the use of social networks, accessed via mobile or a PC, opens yet more doors for attacks.
"We see increased risks as the mobile channel becomes a primary channel for many people to access online shopping and do online transactions," says Mark Lobel, an ISACA member and a principal within the Advisory Services group at PricewaterhouseCoopers. "As new technologies come out, the security tends to follow" much later.
The riskiest online behaviors: Clicking on an e-mail loop to access a shopping site, which 52 percent of ISACA survey respondents admit to doing; and mixing personal networking with business. Fifty-two percent admit to using a work computer or smart phone to access social networking sites for personal use. "It is kind of the flip of using personal stuff for business and then using business stuff for personal -- clicking on links."
Here's more: Results from another recent survey, this one from the Anti-Phishing Working Group, reveal that 54 percent of household and business PCs are infected with some kind of malware, most likely from users clicking on links and accessing sites that make them vulnerable.
It's easy to do. Last week, I almost fell for a scam to buy anti-virus software. The download prompt came up after I hit a site from a Google search. Luckily, the alert seemed phishy, so I called an IT friend. He told me to run a malware program, which is free, by the way, and get the phishy program out of my program files. He told me the anti-virus scam was hitting a number of businesses. It was all a ploy to get my credit card details -- hence the prompt to buy the software.
I share that to point out that we cannot completely fault consumers for being somewhat naÃ¯ve.
Here's the other issue. According to another study, this one released in October by Symantec, the number of phishing attacks launched on consumers has jumped from one or two a week in 2005 to more than 70 per day. And those attacks are not the old-fashioned random attacks we used to see. No, these are targeted attacks, so-called spear-phishing attacks, which are directed at specific companies, and, in many cases, specific employees. The aim of spear-phishing attacks is to steal banking credentials and e-mail passwords.
Clearly, the cybercriminals see value in phishing.
The financial industry is taking steps to better educate consumers about phishing threats, but what they really need to do is invest in technology and solutions that don't allow those phishy e-mails through in the first place. From what security experts in the field tell me, technology exists that could virtually eliminate this kind of fraud. But banks and credit unions are not investing in the right solutions. They depend too much on anti-virus software, which is insufficient.
Why do we continue to spend money on ineffective solutions? Are vendors not doing enough to educate their customers, or are we not doing enough to implement effective measures?
Those are questions I can't answer alone. But I hope it's an issue we all can resolve in 2011.