TO           :      SunTrust Security & Loss Prevention Board

FROM      :      Four-Guys Security Services

DATE       :      April 25th, 2005

SUBJECT :      Phishing Occurrences / Costs on the Rise

 

 

ATTENTION  :   SunTrust S.L.P. Board

 

 

            In the opinion of Four-Guys Security Services, data analysis indicates that, due to a recent influx in phishing attempts perpetrated against SunTrust customers in the past year, new processes, metrics and security measures must be put in place to reduce the effectiveness of criminal activities.  For those unfamiliar with the detrimental problem posed by phishing schemes, first let us outline the problem, explain the methods used, quantify the financial ramifications and wrap up by presenting some possible solutions that we believe may help mitigate SunTrust’s risk in this area.

            The general idea of phishing refers to brand spoofing or carding, and is based on a variation on “fishing”.  The idea behind this is that the bait is thrown out with the hopes that, while most will people will ignore the bait, some will be tempted into biting.  Phishing is a high-tech scam that uses spam or pop-up messages to deceive a person into disclosing their credit card numbers, bank account information, Social Security number, passwords, or other sensitive information.

            The dictionary defines phishing as: The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.  The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user’s information.   

 

            Phishing attacks have been projected to on the rise as much as 110% from month to month.  For example, 2003 saw the proliferation of a phishing scam in which users received e-mails supposedly from eBay and various banks, including SunTrust.  These emails claimed that the user’s account was about to be suspended unless they clicked on the provided link and updated the credit card information that the genuine eBay already had. Since it is relatively simple to make a Web site look like that of a legitimate organization’s by mimicking the HTML code, the scam counted on people being tricked into thinking they were actually being contacted by eBay.  This subsequently led them to the fake eBay site where they would update their account information.

 

            By spamming large groups of people, the “phisher” counts on the e-mail being read by a percentage of people who actually have credit card numbers listed with eBay.  New coding techniques that take advantage of flaws in Microsoft’s Internet Explorer code allow the link in the browser’s address bar to show the real address of eBay or SunTrust’s website.  But malicious code actually sends the user to the fake website, where criminals will collect the user’s data once they enter it in.

 

            Phishing is mostly proliferate in the United States, with approximately 1,518 sites reported in November 2004.  These sites do not stay around for long once they begin to cause damage, as shown by their average lifespan of 6.2 days.  This lifespan shows that the people behind these scams hit quick and take off to avoid prosecution.  Since the time is limited to catch these offenders, the real issue focuses on how to avoid them altogether.

 

            Although there are many security related steps that need to be taken, the best overall solution to this emerging and persistent problem is to educate SunTrust’s customers.  Customers should be made aware of and taught to modify their behavior in these simple ways:

  • Be skeptical of any emails asking for financial information, as most legitimate companies would never ask for financial information in an email.
  • Always ensure that, when entering financial information you are on a secure website.
  • Don’t use links in emails, instead use your browser to go to that website directly.
  • Ensure that your browser is up to date with all current patches.
  • Regularly check your accounts to assure that no strange activity is taking place.

 

 

            Another possible solution would be to promote certain new pieces of software that address this ongoing problem.  E-Scam is one particular piece of software that exists which has been proven to be effective in protecting a company’s customer base from this electronic attack.  E-scam detects attacks in real time by assessing the validity of emails, thus providing a substantial defense for customers.  This program is easily integrated and would promote goodwill between SunTrust and their valued customers.

 

            The most important thing SunTrust can do is convey a method of communication to customers that can be trusted.  Although SunTrust already employs such a service, the use of proprietary “bank-mail” accessible only through the SunTrust website is an effective method of ensuring private communication with customers, and increasing customer’s trust of that communication.  When new bank mail is available, customers should be notified via their existing email address that new mail is available on the bank website.  As mentioned before, no links should be provided, relying instead on the customer to type in the address manually, ensuring an authentic website is accessed.

 

            To conclude, it is imperative that firms take notice and action against the growing number of phishing attacks, especially in light of concurrent rises in liability litigation.  Users must be educated about phishing schemes, and firms should also seek software initiatives that provide workable solutions to cover their users and protect themselves.  Preventative rather than reactive measures are essential in ensuring data security against these malicious attacks, as well as an overall maintenance of user trust.

 

If we can be of further assistance, please do not hesitate to contact us.

Sincerely,

Brian Long, Michael Cox, Jarrod Carlson, Andrew Larson

Four-Guys Security Services
Athens, GA.

(800) 444-Guys

 

Back to Homepage

 

Below are some articles and websites to help you learn more about Phishing :

 

General :  

http://www.webopedia.com/TERM/p/phishing.html

http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm

http://techupdate.zdnet.com/techupdate/stories/main/Phishing_Spam_that_cant_be_ignored.html

 

 

Avoiding the Scams :

http://www.antiphishing.org/consumer_recs.html

 

 

Prevention :

http://www.digitalenvoy.net/solutions/ipi/escam.shtml

 

http://www.microsoft.com/athome/security/email/phishing.mspx

 

http://netsecurity.about.com/od/secureyouremail/a/aa061404.htm

 

http://www.phishingdangers.com/

 

http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm

 

Phishing Blog :

http://channel9.msdn.com/ShowPost.aspx?PostID=20749