Consumers May Face Increased Risk of Identity Theft

According to a new study by The Radicati Group, consumers and companies may be facing an increasing risk to Internet identify theft and fraud.
The study, "Email Anti-Phishing and Anti-Fraud Market Trends 2004-2008," projects that over the next four years there will likely be an increase in the number of worldwide unique phishing attacks--email scams that try to get customers to reveal personal information like social security numbers and passwords. The study, which contains data compiled from interviews and surveys conducted with vendors, service providers, corporate customers, and consumers, states that the amount of unique phishing attacks is anticipated to grow from 51 per day in 2004 to 110 per day by 2005. This represents an increase of 115 percent. The report also asserts that the email antiphishing and antifraud solutions market will more than quadruple, from $202 million in 2004 to more than $880 million by 2008. "The majority of email antiphishing and antifraud solutions are deployed as plug-in modules to existing antispam, antivirus, or email security solutions, integrated into email applications, Web browsers, or are offered as a managed service," says Janice Yee, Radicati Group market analyst and author of the study. Phishing is "still in its infancy," Yee says, but, according to Jonathan Penn, principal analyst for identity and security at Forrester Research, "as it grows it affects more and more [consumers] by eroding their confidence in both e-commerce transactions as well as the companies...they buy from and serve as custodians of their data." To combat phishing Yee recommends that organizations monitor domain name registrations, give customers written instructions for accessing specific pages instead of sending emails with links, and institute policies to let customers know what kind of email messages they can expect from the company. Companies should remind their customers to check for illegitimate URLs, be suspicious of emails requiring the disclosure of confidential information, stay away from emails with urgent requests to act immediately, and to check all online accounts for any unusual activity on a regular basis. Penn recommends that companies first establish a level of consistency, what he refers to as their online personae, which will make a phisher's job tougher. "They also need to have a policy to never ask for account information in an email, or even in a phone call, without [providing] a way for the customer to validate the requesting party." Penn also suggests that financial services firms and ISPs pursue several technical defenses, including providing alert services that comb the Web in search of any evidence of a possible attack and using Web-validation methods like plug-ins. Also, companies should implement customer-authentication and email-validation technologies that provide a way for receiving ISPs to verify the sender, such as an authentication framework. "This is already being supported by some of the big ISPs like AOL," Penn says. "Later on, they'll have to move on to the new standard, called SenderID, but such a move is easy." The SenderID specification will validate each email based on the sender's server IP address. Michael Higgins, managing director of TekSecure Labs, believes that secure ISPs--those that filter these types of attacks (even if it is only a percentage of all the attacks)--will "increase in coming years and [will] pressure the larger players to address it on their networks." He also says that while banks generally reimburse customers for losses in fraud and bear the brunt of the scams, consumers must also be more responsible. "The current method of 'making the customer whole after a loss' to hold the consumers trust will only last for so long before the cost of the losses exceeds the convenience to the customer," Higgins says. The Radicati Group is not the only entity fighting the phishing battle. The Trusted Electronic Communications Forum and the Anti-Phishing Working Group are also key players in the antiphishing movement, with the latter reporting 1,197 unique phishing attacks in May 2004. Yee is confident that an increase in consumer education will prevent email phishing from flying off the hook: "Coupled with end-user education, technologies that protect users from phishing attacks and the implementation of strict standards, regulations, and enforcements will eventually deter phishers from this method of online abuse."