A bustling new sector of the technology industry is helping companies cope with a surge in online financial fraud known as "phishing," which uses e-mail to lure people into giving up their financial data at counterfeit bank and e-commerce Web sites.
But the fledgling industry as a whole has adopted divergent approaches to combating the problem, and there are signs that federal regulators could soon step in and mandate specific technologies. As a result, many banks have put off adopting the new services until the market matures. In the meantime, some security experts say, a few banks are resorting to hacker-like tactics in their own defense.
Only a fraction of the roughly 9,000 financial institutions nationwide have been targeted by phishers, but that ratio is changing for the worse each day. To date, online con artists have impersonated more than 150 banks, yet only about a third of those targets have deployed commercial protective technologies, said David Jevans, chair of the Anti-Phishing Working Group, a coalition of banks and technology companies.
The anti-phishing market is so young that there is little public analyst information about how much banks are spending on the new technologies. The annual sales for each of the companies contacted for this story varied widely, ranging from less than $1 million to $20 million. But several companies only began selling their services in mid-2004, and nearly all said they expected business to double in 2005 as attackers begin targeting other industries.
Jim Maloney, chief security officer for Portland, Ore.-based Corillian, said the company provides anti-phishing services to roughly 20 banks, with nearly as many currently evaluating its products. Maloney declined to name the company's clients, but said the banking sites it manages in-house range from credit unions to several of the top 30 biggest financial institutions.
Getting Ahead of the Phishers
Most anti-phishing companies offer a mix of products, such as domain-name monitoring -- checking to see if potentially deceptive Internet addresses have been registered -- and a "takedown" service that involves contacting the Internet service provider (ISP) responsible and persuading them to shut down the offending site.
But phish busting is a complex endeavor that involves combating online criminal activity on a multitude of fronts, and most companies admittedly excel at just one or two of those areas. Some companies sift junk e-mail; others scour the Web for fraud sites. Some rely on close relationships with domain registrars and ISPs to gain intelligence on current or future attacks. Still others monitor online banking sites for signs that the sites are being cased as possible targets.
In acknowledgement of the fragmented market for the technologies they offer, several leading anti-phishing companies recently formed the "Anti-Fraud Alliance" to appeal to companies looking for a more comprehensive strategy. The group's members have agreed to promote and re-sell each others' products.
Perhaps the most recognizable name in the alliance is Cupertino, Calif.-based Internet security firm Symantec Corp., makers of Norton antivirus software. Symantec provides customers with information about the latest e-mail scams. Last May, at the height of 2004's phishing epidemic, Symantec acquired anti-spam company Brightmail and now sells access to its spam caches to give clients early warning of scam e-mails.
One of the more unique approaches comes from Corillian, another member of the alliance. The company got its start in 1997 developing online banking sites for financial institutions and has built more than 60 such sites so far, a dozen of which are controlled directly from its headquarters. Because of this background, Corillian is adept at spotting the telltale signs of an impending phishing attack.