Phishers Drop Hooks Into Smaller Streams

As the nation's largest financial institutions deploy increasingly sophisticated measures to prevent Internet scams, online fraudsters are targeting smaller, regional U.S. banks whose customers may be less attuned to the threat.

Experts say the shift is the latest trend in a technological arms race between Internet con artists dubbed "phishers" and the e-commerce and banking companies they target. Phishers use fake Web sites and e-mail messages in an attempt to trick customers into disclosing valuable personal financial information.

"We have found that financial institutions and other targets are starting to purchase and deploy solutions to help battle phishing," said David Jevans, chairman of the Anti-Phishing Working Group (APWG), a coalition of banks and technology companies. "As they do this, phishers are starting to move on to softer targets."

The majority of attacks still involve a handful of global financial institutions with hundreds of billions of dollars in assets. These banks are attractive targets because they often boast large numbers of customers who opt for online banking services.

The new targets, by comparison, often operate in only a handful of U.S. states and serve fewer customers. In October, phishers first targeted customers of Madison, Wisc.-based First Federal Capital Bank, which has 90 branches in three states and about $3.3 billion in assets.

In November, scams struck Wayzata, Minn.-based TCF Bank and Columbus, Ohio-based Huntington Bancshares Inc., each a regional institution covering six states. That same month, attackers hit People's Bank, which has branches only in Connecticut.

The new attacks varied in complexity, but all shared a common technique. Bank customers received an e-mail message urging them to update or verify their account data. A link in the message took them to a genuine-looking bank Web site -- actually a fake created by the attacker -- where any information entered would fall into the hands of the e-mail sender.

The shift toward targeting smaller banks coincides with a surge in the number of phishing attacks recorded in 2004. The Anti-Phishing Working Group found 9,019 new and unique phishing e-mail messages in December, nearly four times the number reported in August. The group tracked 1,707 phishing Web sites in December, a 24 percent increase from November.

Even a scam that nets just one or two active credit card accounts out of a million solicitations can be a profitable haul, said security expert Ken Dunham of Reston, Va.-based Internet security firm iDefense.

"Your average credit card has a limit of about $5,000," Dunham said. "The startup costs for these kinds of attacks is next to nothing, so in many cases the phisher only needs to snag a few accounts before it becomes worth the effort."

In addition, customers of smaller banks may not be as experienced in dealing with such scams, said Rod Rasmussen, director of operations for Tacoma, Wash.-based Internet Identity, which helps banks and other online-fraud targets combat phishing Web sites.

Phishers hope they can "hit the mother lode with a small bank that's communicating with their customers in a way that makes them more susceptible ... than maybe they should be," Rasmussen said.

Online criminals also are beginning to trade and sell lists of e-mail address lists of known bank customers. In a little-known online chat channel dedicated to credit card fraud and identity theft, one recent poster advertised for sale an e-mail address list of customers of Washington Mutual, a regional bank based in Seattle that serves customers in 14 states.

The company did not respond to repeated requests for comment. But experts say that if the e-mail lists are accurate, the people selling them probably culled most of the addresses from previous victims.

"In a lot of ways, phishing is nothing more than illegal direct marketing, so if you're a really clever criminal you will find ways to target your audience better," Rasmussen said.

Madelyn Valdes, 46, of the Bronx, N.Y., learned she'd been the victim of a phishing scam targeting Washington Mutual customers when her checking account was emptied of $900.

The scammers had used her checking information to open up a new Paypal account, and then wired the money to another location. Valdes said the thieves also tried to use her account information to buy hundreds of dollars worth of women's shoes online.

"I was about to send my rent check but now I can't do anything," she said. "I'm totally broke."

Banking on Technology

Some smaller banks have taken defensive steps to block phishers, such as declining to communicate with their customers via e-mail, or temporarily shutting down portions of their online banking sites once a scam has been identified.

Other regional banks, however, are warming to technologies adopted by many large financial institutions. Sovereign Bank, which maintains branches in seven northeastern states, was first targeted on Oct. 29, and then again one week later.

The experience prompted Sovereign to begin pilot projects with Boise, Idaho-based MarkMonitor and Beaverton, Ore.-based Corillian Corp., two companies marketing anti-phishing technologies to banks and e-commerce sites, said Marianne Doran-Collins, senior vice president and director of online banking at the Reading, Pa.-based bank.

"We're not interested in just waiting around for the next [attack]," Doran-Collins said.

Other companies offering technologies to detect and disable phishing sites also have seen a recent increase in the level of interest from smaller financial institutions. Madison, Wis.-based NameProtect had roughly 10 times as many inquiries in the last three months of 2004 from small- to mid-sized banks than it had the previous quarter, said Kevin Omiliak, NameProtect's vice president of sales and marketing.

PNC Bank, which does business in Pennsylvania, New Jersey, Delaware, Ohio and Kentucky, was first targeted by phishers late in August. The scam site stayed up for more than 24 hours, though no PNC customers have reported losses from the attack, spokesman Brian Goerke said.

A few days after the attack the bank contracted with two providers of anti-phishing products, though Goerke declined to name those companies. PNC was struck again in September, and the new technologies helped the company shutter the phishing site in less than two hours, he said.

"We put things in place right away so that if it happened again we'd be ready," Goerke said.

Banks and Internet service providers remain key targets, but there are signs that phishers will continue to break into new areas of business in 2005, said Mark Griffiths, vice president for VeriSign Inc., an Internet security firm based in Mountain View, Calif.

Griffiths said phishers have started mimicking power companies and other utilities, trying to trick people into registering at fake utility Web sites to pay their bills automatically online.

"These guys are definitely only going to get more bold and creative," Griffiths said.