The crooks are quick to act when opportunities arise. When Royal Bank Financial Group experienced a computer glitch in June that resulted in thousands of clients not receiving their automatic pay deposits, fraudsters quickly hit the Internet with an e-mail and spoofing campaign, urging recipients to cough up passwords and personal data or risk having their accounts suspended. Royal was forced to issue a fraud alert.
But the true damage done by phishing attacks is difficult to measure. Few financial-services firms are willing to speak on the record, and those contacted for this story declined to comment or indicated phishing wasn't a problem for them. Still, one thing is clear: Phishing is more of a problem for banks than brokerages, at least for the moment.
To understand how prevalent the problem is, the Financial Services Technology Consortium (www.fstc.org), which is comprised of North American-based financial institutions, technology vendors, independent research organizations and government agencies, has launched a counter-phishing initiative. "The issue certainly doesn't seem to be going away," says Jim Salters, director, technology initiatives and project development, who adds that phishing is simply an evolution of the types of fraud that financial institutions have always faced.
A 15-page project proposal available on the FSTC Web site notes that "Phishing is clearly a significant concern for financial institutions. From a risk-assessment perspective, it has the character and current potential to create significant operational and reputational risks."
Under the plan, the FSTC proposes to launch a three-phase project to examine and possibly introduce counter-phishing initiatives. Phase one is the knowledge-acquisition and options-development stage; phase two focuses on implementation of pilot and test projects and will provide recommendations for action; and phase three will include dynamic monitoring and updating of tools and countermeasures. Salters says the FSTC hopes to launch the project this fall and "understand the issue by year end."
Though the problem currently seems confined to banks, brokerages aren't impervious to attacks. John Reed Stark, chief of the Office of Internet Enforcement at the SEC, says the attacks in the securities industry are more along the lines of what he calls "phishing derivatives."
For example, one offender, Van T. Dinh, was sentenced to 13 months in jail and ordered to pay restitution after he broke into a TD Waterhouse investor's account and exercised options trades that cut his losses on a failed investment. The perpetrator got the investor's ID information thanks to a program that the investor unwittingly downloaded onto his computer after Dinh urged fellow investors in an online chat room to check out some software he had developed.
In addition, Reed Stark says there have been some instances of "schemes orchestrated offshore designed to defraud investors," which the SEC is investigating. "I can't say for sure if there are any instances where somebody has hijacked a legitimate brokerage firm Web site," he concedes. "We want to be really careful. We don't want to overstate or understate the problem." According to Reed Stark, the SEC has set up an e-mail address for complaints about enforcement issues, and it receives 1,300 e-mails a day. "Internet users are very good at finding a place to complain," he says.
Assistant Treasury Secretary Abernathy says, "It's good news that nobody has hit [brokerages] yet. It's bad news if they think they're invulnerable. They need to take the opportunity to prepare and defend themselves." He speculates that one of the reasons why criminals might be targeting banks over brokerages is that "crooks are more aware of banks than they are of brokerage institutions." But it's only a matter of time. "Once [criminals] figure out they can go the brokerage route, I can see them doing that."