As the nation's largest financial institutions deploy increasingly
sophisticated measures to prevent Internet scams, online fraudsters are
targeting smaller, regional U.S. banks whose
customers may be less attuned to the threat.
Experts say the shift is the latest trend in a technological arms
race between Internet con artists dubbed "phishers" and the e-commerce
and banking companies they target. Phishers use fake Web sites and
e-mail messages in an attempt to trick customers into disclosing
valuable personal financial information.
_____Recent Phishing Articles_____
Technology Fueling Wave of Phishing Scams (washingtonpost.com, Jan 18, 2005)
It's Been a Day-to-Day Battle With Intruders (The Washington Post, Dec 26, 2004)
Companies Forced to Fight Phishing (washingtonpost.com, Nov 19, 2004)
How to Fend off Phishing (washingtonpost.com, Nov 18, 2004)
Phishing Feeds Internet Black Markets (washingtonpost.com, Nov 18, 2004)
"We have found that financial institutions and other targets are
starting to purchase and deploy solutions to help battle phishing," said
David Jevans, chairman of the Anti-Phishing Working Group (APWG), a coalition
of banks and technology companies. "As they do this, phishers are
starting to move on to softer targets."
The majority of attacks still involve a handful of global
financial institutions with hundreds of billions of dollars in assets.
These banks are attractive targets because they often boast large
numbers of customers who opt for online banking services.
The new targets, by comparison, often operate in only a handful of
U.S. states and serve fewer customers. In October, phishers first targeted
customers of Madison, Wisc.-based First Federal Capital Bank, which
has 90 branches in three states and about $3.3 billion in assets.
In November, scams struck Wayzata, Minn.-based TCF Bank and Columbus, Ohio-based Huntington Bancshares Inc., each a regional institution covering six states. That same month, attackers hit
People's Bank, which has branches only in Connecticut.
The new attacks varied in complexity, but all shared a
common technique. Bank customers received an e-mail message urging them to
update or verify their account data. A link in the message took them to a genuine-looking bank Web site -- actually a fake created by the attacker -- where any information entered would fall into the hands of the e-mail sender.
The shift toward targeting smaller banks coincides with a surge in
the number of phishing attacks recorded in 2004. The Anti-Phishing
Working Group found 9,019 new and unique phishing e-mail messages in
December, nearly four times the number reported in August. The group
tracked 1,707 phishing Web sites in December, a 24 percent increase from November.
Even a scam that nets just one or two active
credit card accounts out of a million solicitations can be a profitable
haul, said security expert Ken Dunham of Reston, Va.-based Internet security firm iDefense.
"Your average credit card has a limit of about $5,000," Dunham said.
"The startup costs for these kinds of attacks is next to nothing, so in
cases the phisher only needs to snag a few accounts before it becomes worth