Computers in Business :: Ireland's Leading Business IT Magazine

In many of life’s endeavours, times and technology dictate the techniques employed. Robbing banks in the 1930s needed a tommy gun and a waiting car.

Since ATMs were introduced in the 1980s, bulldozers have proved handy, if cumbersome, for making very large withdrawals.

Since the turn of the century, the growing number of people banking online offers criminals a new target to rob: not the banks themselves, but their more vulnerable customers. All it takes is a PC and an internet connection.

The scam works like this: criminals design an email that appears to come from a real bank and they send thousands of messages to potential customers, with what seems to be a legitimate request for their bank login codes.

The e-mail may also include a link to what looks like the bank’s genuine website, but is in fact an elaborate fake. Anyone replying to the e-mail or clicking on the link has basically allowed criminals to steal their money.

Phishing, as this type of fraud is known, is a worldwide phenomenon and Ireland hasn’t escaped, despite being a relatively small market. About two thirds of Irish adults are registered to bank online.

The two biggest banks here, AIB and Bank of Ireland, between them have more than a million registered internet banking customers.

By now, most of the major banks in the state have been targeted by phishing, including Ulster Bank, Permanent TSB, Bank of Ireland and AIB, as have credit card providers operating here.

In the past two years alone, there has been a reported 150 per cent increase in phishing attacks here and some bank customers had their accounts emptied. In 2007, Irish banks incurred phishing related losses of about €400,000, according to the Irish Payment Services Organisation (IPSO). In 2008, there were more reported cases but the money stolen had fallen to €220,000.

“In 2009, we have seen an increase in cases again, with close to 60 reported cases in the first quarter of 2009 compared with 20 in the same period last year,” said Una Dillon, IPSO’s head of card services and communications. Phishers made off with close to €130,000 in the first three months of this year alone, she said.

Although phishing is relatively new, fraudsters are constantly changing their tactics to improve their chances of success. Some experts believe criminals could be deliberately aiming to steal lower amounts of money from a wider range of people, in order to arouse less suspicion. They are also using new and more sophisticated ways to trick people into handing over their login details. Security experts call this practice’ social engineering’; regular people call it a con.

“Phishing is a confidence business,” said Michael Conway, managing director of the IT security company Renaissance.” Once the frauds lull people into a false sense of security, then people are susceptible to being tricked. Even though they might be mature computer users, people will still get ‘done’ every now and then.”

That’s exactly what happened to telecoms entrepreneur Pat Phelan who, this summer, was almost taken in by a scam e-mail apparently sent by PayPal.

The message seemed legitimate for two reasons; it’s one of the payment methods he regularly uses for his Max Roam Sim card business and it was sent to a work e-mail address that he didn’t circulate widely.

“It was absolutely perfect,” Phelan said.” They said’ we have paid back a PayPal user €1,000 from your account, can you confirm please’, so my first reaction was to click on it. Then I thought ‘hang on’, checked the source and it wasn’t PayPal.”

When phishing e-mails began circulating widely five years ago, they were relatively easy to spot. The source e-mail addresses were clearly wrong, the logos were often incorrect or out of date, and the grammar was poor. That didn’t stop some people being taken in, but as awareness has increased, the fraudsters have spent more time refining the e-mails to look more genuine.

Those early phishing attempts normally came straight out and asked the recipient for their bank pass codes. The latest scams are more subtle, but potentially as effective.

“You’re so panicked over your money being removed that you react,” said Phelan. “They’re definitely getting much better. I saw another e-mail from AIB a few weeks earlier and it was very professional. The graphics were very good and the language was spot on.

“Years ago, phishing emails were obviously written by people whose first language wasn’t English. Now they’re actually modelling themselves on genuine sites.”

Phishers’ perennial problem is that they don’t have e-mail addresses for specific bank customers, so they have to launch their attacks indiscriminately and hope that some fraction of their e-mail address list corresponds to account holders of the bank they’re targeting.

Last March, one gang hit on the idea of broadening the attack to every taxpayer in the state as an ingenious way of widening the pool to phish in. A spoof e-mail supposedly sent from the Revenue Commissioners asked people for credit and debit card numbers, as wel l as dates of birth and other information in exchange for a nonexistent ‘refund’.

Customers shouldn’t be worried if they happen to receive an e-mail from the bank they do business with – it’s pure coincidence and doesn’t mean the bank’s systems have been compromised, according to Dermot Nolan, head of payments strategy, planning and delivery with Bank of Ireland.

“E-mail addresses can be obtained from publicly available sources or through randomly generated lists,” he said.” Therefore, if a customer receives a fake e-mail that appears to be from Bank of Ireland, this does not mean that the e-mail address, name, or any other information has been gathered from Bank of Ireland’s systems.”

Urban Schrott, resident cyber crime analyst with Eset Ireland, said: “It’s very easy to fake an e-mail. The sender can be located just about anywhere in the world and the e-mail will appear to come from aib.ie or whoever.”

As well as trying new social engineering tricks, fraudsters had also improved the technical aspect to their scams, said John Power, solution strategist at CA, who researches cyber crime.” The attackers have migrated from hijacked websites. Up to a year or 18 months ago, phishers used their own websites and, when they were discovered, banks worked with ISPs to shut down those sites,” he said.

The fake banking sites would be put out of action within three to five days, and the fraudsters would have to configure it al l again, sending out different e-mails with links to the new site. Power said many gangs were hacking into legitimate business websites and using them to hide behind.

Since the attack is traced to a real business, the targeted bank has a harder time convincing the ISP in that country to block access to that site.

“It means the phishing site stays up longer, which gives a bigger window of opportunity to the fraudster, to do more damage and it’s much more difficult to close down,” said Power.

A report by the Anti Phishing Working Group in the US found that up to 81 per cent of phishing scams originate from such compromised websites or hacked domains. Not only do phishers get their hosting for free, the APWG said, but they can also operate under the radar very effectively.” Phishing on a compromised website typically takes place on a sub domain or in a subdirectory, where the phish is not easily noticed by the site’s operator or visitors,” said the report.

Another tool in the phisher’s armoury is the ‘Trojan Horse’, a piece of software created to give a hacker access to a victim’s PC.

“We’re seeing some activity, though not a lot, with Trojans,” said Sean Jevens, head of e-channel development with AIB.

“Some people’s PCs are infected with those and they pop up a window during an online banking session asking for an extra detail like a code from the code card.”

Those code cards were introduced by many banks as a direct response to phishing. Without the extra code which only the account holder possesses, phishers may have access to a victim’s money, but no means of transferring it to another account. Bank of Ireland introduced a similar scheme and claims no customers have lost money this way.

Jevens said the fact that some phishing scams asked account holders to give al l the codes on their code card showed the criminals were studying Irish banks closely.

“In any business, you have to know your market,” he said.” The fraudsters know that to have real power over a customer’s account they must have the code card.” With attacks becoming more sophisticated, bank security was constantly under review, Jevens said. Potential options could include sending a one-time pass code by text message to the real account holder’s mobile.

There have been efforts to introduce password generating tokens before, but some of the banks have rejected this after trials because it was too confusing for users.

Fortunately, most of the major banks say consumer awareness of phishing is better than it used to be, and people are more likely to report suspicious emails. All bank log-in pages have prominent notices warning people about the risks of phishing scams, giving contact numbers and e-mail addresses to report any suspicious e-mails.

Whether most average users pay any notice is less clear. AIB recently commissioned a usability test for its site, which uses heat maps to show where people look on the page.

It found a huge proportion ignore the phishing notice and concentrated only on where to type their passwords. This was despite the very large warning, which takes up more space on the page than the login section itself.

Then there’s the small matter of liability: banks are understandably wary of making blanket guarantees for refunds in phishing cases. If that became standard policy, it would effectively be a’ get out of debt free’ card and people may think they can click on e-mails whether they suspect foul play or not, because they know they won’t be personally out of pocket.

Accordingly, Bank of Ireland takes a tough public stance the issue.” The bank’s policy is that it does not refund customers that are the victims of phishing attacks,” said Nolan.” Personal log-in information is the responsibility of the customer, to whom the personal information was issued and it is vital to the integrity of the system and the security of the individual’s account that this remains so at all times.”

IPSO told a different story, saying that Irish banks have – so far – absorbed all losses incurred through phishing. Jevens refuted the suggestion that the credit crunch would affect banks’ attitude to phishing.

“We certainly don’t judge cases any differently than we did last year, and most of the people this happens to are just shell shocked,” he said.” The key for us is, we want to understand how this happened so we can protect our customers in the future.”

But with at least one large British bank insisting the customer is liable, it may be only a matter of time before one or more institutions here decide to follow a similar path.

Gambling the contents of your account – especially in a recession – would be unwise at best and potentially very costly at worst, long after the initial upset and shock have passed. The moral of the story, said Schrott, was that people needed to be more responsible when giving out their information.

“You wouldn’t be as irresponsible with your wallet and you normally don’t have any more than €50 in that,” he said.

Conway said: “If you get an unsolicited e-mail like that, forget it. Your bank doesn’t send e-mails; that’s not the way they operate. If it looks too good to be true, then it probably is.”