LENDERS SCRAMBLE TO AVOID THE PHISHING HOOK

By Phil Hall

     In the realm of data security, a great deal of attention is being given to phishing, which involves the use of fraudulent e-mail to acquire sensitive personal information such as credit card data, Social Security numbers and computer passwords. These e-mails are disguised as official communications from well-known companies and are often linked to fraudulent web sites designed to resemble the alleged source of the message. Unsuspecting computer users who visit these sites are conned into providing their data, which is then used by the phishing operators for identity theft, credit card abuse and draining funds from bank accounts.
     Phishing is not a new crime (the earliest reference to it dates from 1996), but the level of activity and the depth of effectiveness has increased awareness of the damage it can create. According to CSO Magazine, a high-tech trade journal covering security issues, approximately 1.2 million computer users in the United States were the victims of by phishing between May 2004 and May 2005, resulting in losses totaling approximately $929 million. American businesses lose an estimated $2 billion annually as a result of this crime.
     Not surprisingly, financial institutions have been the target of phishing attacks. One of the most recent and dramatic phishing attacks took place in January when the Swedish bank Nordea had $1.5 million stolen through an elaborate phishing/computer virus attack. According to press reports, approximately 250 Nordea customers were phished via phony e-mails designed to look as if they came from the bank. The customers were asked to download an anti-spam program that was actually a Trojan Horse virus that became activated during the customers’ online banking sessions. This provided the criminals (who’ve yet to be apprehended) with full access to the unsuspecting customers’ accounts.
    Mortgage-related phishing attacks may be the next step in this crime spree. As it stands, phony e-mail mortgage offers are part of the top five spam solicitations, according to the Spamometer survey from the software development company Ipswitch Inc. And there is already precedent for the phishing/mortgage spam convergence: In December 2003, the FTC halted a scam run by 30 Minute Mortgage Inc., an Internet operation that promised “3.95% 30 Year Mortgages” but was discovered selling Social Security numbers and other sensitive data of duped applicants to third parties.
    One likely target market for mortgage-related phishing is potential borrowers who don’t qualify for prime loans. “Our consumers tend to be more gullible - we deal in the nonprime market,” says Hal Jolley, president of Blue Financial in Phoenix. “Or at least that’s the impression I have. Nonprime borrowers tend to be more susceptible - they tend to approach things a little less skeptically.”
    On the flip side, no lender is too small or far afield to avoid being the target of a phishing scam. Heartland Bank, which operates a mortgage origination office in Fairview Heights, Mo., discovered that the hard way.
    “In December 2005, a gentleman in Ireland got an e-mail that said he won a lottery and to please open an account at Heartland Bank,” recalls Michael Getty, project coordinator. “The people behind that scam copied our Web site, and it looked authentic.”
    The fraud was, according to Getty, “traced to certain nefarious parties in Australia.” But why did these antipodean miscreants choose Heartland Bank, of all possible lenders?
    “We were probably chosen at random,” suggests Getty. “Our Web site is not the most sophisticated out there - you could say we were low-hanging fruit.”
    For lenders, phishing schemes represent the ultimate lose-lose situation. “You have a reputation risk,” says Jeff Taylor, senior economist with the National Association of Federal Credit Unions (NAFCU). “Even if it’s not your fault, it sounds like it’s your fault.”
    From the internal perspective, lenders are more than cognizant of the threats available in the online environment. “We’re highly, highly sensitive to encryption,” states Christopher Dannen, vice president of residential mortgage sales at People’s Bank in Bridgeport, Conn. “Any documents and e-mails leaving us are encrypted, and we have filters on everything that’s coming in.”
    Dannen adds that People’s Bank requires its employees to take mandatory training classes relating to Net-based security concerns, including phishing.
    To date, it doesn’t appear that threats from phishing have had a significant impact on the popularity of online mortgage transactions, especially e-mortgages. “I’ve not seen evidence of that, especially among the younger population, who think these things are secure,” says Taylor.
    “People who go to the trouble of buying a mortgage are generally more savvy than people most frequently targeted by phishing attacks,” says Getty. “These people are cautious and thorough enough to obtain a mortgage and manage it online.”
    “We’re raising the level of security and awareness in using electronic documents, and I don’t see that changing,” adds Dannen.
    If anything is certain, it would be that phishing will continue to confound computer users. Last January, a new wrinkle was uncovered: the e-security company RSA Security discovered a do-it-yourself phishing kit called Universal Man in the Middle available online, thus making phishing techniques available at the most elementary Net level.
    “You’re always chasing the hackers, it seems,” says NAFCU’s Taylor.

© Copyright 2007 Zackin Publications Inc. • All Rights Reserved.
Forward this message to a friend. | Register to receive this newsletter.
If you no longer wish to receive this type of message, please unsubscribe.
Secondary Marketing Executive, P.O. Box 2180, Waterbury, CT 06722-2180