By Mark Sunner, Chief Technology Officer, MessageLabs
Friday, 14 October 2005 14:55 EST

As the BBC’s new drama series “The Hustle” demonstrates, the urge to defraud unsuspecting individuals and organisations is - for some people - too tempting to resist. Indeed, making a living out of successfully pulling off cons is often portrayed as glamourous and exciting, although the truth is somewhat different.

Fraudsters are always looking for new ways of carrying out their scams , and as the web has evolved and become more sophisticated so it has become a more attractive option. The crime itself is an old one, but the Internet has provided a new way of committing it.

The next generation of fraud has arrived in the form of ‘phishing’ – the use of viruses, spam, spoofed websites and social engineering techniques to defraud financial institutions and their unknowing customers out of their money. It may not yet have featured in a BBC drama, but this ‘online hustle’ is a very real threat to financial institutions and other companies across the globe.

Phishing is a simple concept, involving the sending of emails claiming to be from legitimate financial organisations to recipients, who are then redirected to a fraudulent website. Once there, they are asked to update their personal information – from bank account numbers and passwords to social security numbers. (In the most sophisticated cases, the spoofed website is almost a perfect replica of the genuine site – making it more difficult for visitors to determine one from the other.)

Once this personal information is obtained, the identity theft begins, and can result in drained savings accounts, new credit accounts being opened and countless online purchases being made in the victim’s name.


Phishing is a relatively new phenomenon but has very quickly become a serious headache for those charged with maintaining online security in financial institutions in particular.

There is no doubting the rise of the problem in the past nine months or so: back in August 2003, MessageLabs intercepted a grand total of 14 phishing emails (ie. containing a fraudulent URL posing as that of a legitimate organisation). By the end of January this year, this number had risen to 290,016.

Phishing scams have to date occurred on every major English-speaking continent. North America has perhaps been worst hit – customers of TD Canada Trust, Citibank, Ebay’s PayPal and Visa have all unwittingly divulged account numbers, passwords and other sensitive information. In the UK, customers of major high street banks like Barclays, NatWest and the Halifax have all responded to false emails. And in Australia the customers of all four main banks have been targeted by scams.

Ascertaining precisely how many users have fallen victim is no easy feat. The representative body of the UK banking industry, APACS, have been cautious about its impact, claiming that fewer than 100 people fell victim in 2003. And yet the Bank of England saw at least 200,000 phishing emails during one particular scam. In the US complaints to the Federal Trade Commission increased by 67 per cent to more than 75,000 since phishing emails first emerged in 2002.
One reason for the conflicting reports may be that financial institutions are wary of reporting a successful phishing attack – as it points to a direct threat to their online security. More disturbing is the possibility that they may not even be aware that it has happened.

What is clear is that institutions must take steps to try and prevent becoming victims in the future. But what can they do to prevent themselves falling for such scams?

The answer is there are a number of measures that can be taken, one of the most effective being the deployment of a dedicated, online fraud protection service.

Such a service should involve proactively monitoring international email traffic and providing immediate notification upon the discovery of new phishing emails. An incident response element is also needed to contact the authorities and law enforcement agencies and to assist them in identifying and closing down fraudulent websites, thus reducing companies’ exposure to losses related to prolonged scams.

There are additional precautions that can also be taken. User education plays a key role in any IT security initiative, and phishing is no exception. Financial institutions must ensure that customers are aware of how they will communicate with them, and the kind of information they will be asked for. No reputable finance organisation would use an email to notify customers of problems with their account and then ask them to hand over personal account details, account numbers and passwords with no personal contact or some kind of verification.

Unless financial institutions take immediate, urgent action, phishing scams will become one of the biggest threats they face today. Inactivity is not an option - this type of fraud results not only in financial losses, but also in considerable damage to credibility and reputation. In a climate where online banking as a whole is still attempting to establish widespread acceptance and trust, the potentially devastating impact of successful phishing scams must not be underestimated.

MessageLabs are exhibiting at Infosecurity Europe 2006 which is Europe's premier IT Security Exhibition. The event brings together professionals interested in IT Security from around the globe with suppliers of security hardware, software and consultancy services. Now in its 10th year, the show features Europe's most comprehensive free education programme, and over 200 exhibitors at the Grand Hall at Olympia from 26th to 28th April 2006. Further information about Infosecurity Europe 2005 is available at http://www.infosec.co.uk