The development of the Internet has provided banks and their customers with a welcome range of remote banking possibilities. Businesspeople, the housebound, and residents of remote localities are amongst the key beneficiaries from these opportunities to access banking services from the comfort of the home or office. Unfortunately Internet banking has also attracted criminal interest. In contrast to the old-fashioned bank raid that carries significant risk of capture and injury, robbery via the Internet appears to offer rich pickings with a lower chance of being detected.
Phishing has become one of the leading categories of online banking crime. This term is apparently derived from the similar sounding fishing, but instead of sitting on a river bank with bait on the end of the line, the phisher sits at their computer and sends out emails in the expectation of catching and extracting the personal data of bank customers.
The standard phishing approach involves sending out multiple emails that seem to originate from a legitimate online bank site. These emails include a variety of messages designed to persuade the recipient to access an Internet site masquerading as a legitimate bank site and to enter their account number, password, credit card number and other important personal information. For example, they might write that your account is overdrawn due to a bounced check and provide you with a link to the bank Website and/or a phone number for you to obtain additional information. The site URLs and appearance are carefully designed to imitate the genuine site so the customer does not become suspicious. The phone number may be a false number mannered by one of the phisher’s confederates.
After providing these personal details the customer is usually transferred to the genuine bank site and they need to login again to access their account. They assume the first login was in error and remain blissfully unaware of the identify theft until the loss of money is discovered at some later date. The thief adds this information to a database and immediately makes use of it to extract funds from your bank account and associated identity theft crimes.
While phishing emails also reach many people who have no account with the bank that supposedly sent the email, the fact that the emails are going to reach some people who do have an account there and a certain percentage of these are going to be tricked, makes this a profitable criminal activity
Banks on the Phishing Firing Line
Every bank with an online banking division is a potential victim of the phishing fraudsters. In September 2007, Bank of America® customers were targeted with emails asking them to provide personal banking details for their “Security and Resolution Center regular maintenance” or “to meet the requirements of the Federal Financial Institutions Examination Council (FFIEC)”.
In August 2009 Ally Bank customers began receiving emails asking them to fill in an online customer form to provide information required for enhanced security members. These emails come from forged but realistic-looking addresses such as firstname.lastname@example.org and they have even been sent to people in places where it is unlikely that Ally Bank has any customers, for example, the UK. The emails also carry a number of different subjects designed to attract the reader’s attention and get them to access the Web site link provided. “Important Notification from Ally Bank”, “New Version of Ally Bank customer form has been released” and “GMAC Bank is now Ally Bank” are a few of the subject lines these phishers have been using.
Another incident of phishing this month involves emails sent to the customers of Nevada’s Community Bank – a victim of the current financial crisis that has been closed down by the State of Nevada Financial Institutions Division and federal regulators. The police department in Mesquite, Nevada, has warned citizens over text messages received by a number of residents of the town that inform them that their debit cards have been deactivated and ask them to reply to the text message or call a number listed.
Avoiding taking the phisher’s bate
If you bear in mind a few key principles you can escape the phisher’s clutches:
- Never click on a link to a Website or dial the number included in the suspect message. Look up your own record of your bank’s phone number and call them to verify if the message is genuine.
- If you receive a message purporting to come from your bank but addressed to “Dear Customer” or with a similar impersonal address, be on the alert. Perhaps you have never even given your email address to the bank and in the unlikely event they may email you, they will personalize the email.
- Read the message carefully for spelling and grammar errors. Phishers are not known to be careful over such matters while the genuine bank will avoid such simple errors.
- Regularly check your bank and credit card statements and be alert to any transactions that arouse your suspicion.
If you think that you have received a phishing scam message you should immediately make the bank aware that such communications are being sent out in its name. You should also report the message to the Federal Trade Commission at 1-877-382-4357. Publicity that raises public awareness helps protect potential phishing victims and information provided to the authorities assists them to apprehend the criminals behind these hoax messages.