Although your Web site may be ultra-secure to protect your customers' credit card data and other personal financial information, your biggest threat can come from a criminal who won't even try to hack your database.

He doesn't have to. He can just get your customers to hand over that information by impersonating your brand in bogus emails. (Link to samples below.)

The scam is called "phishing," and it's the fastest-growing type of Internet fraud. This February a reported 282 phishing campaigns were sent to millions of consumers -- a 50% increase from January. And, judging by our in-boxes, the trend's continuing to grow.

Major online brands such as eBay (the No. 1 target), AOL and EarthLink, along with financial institutions and government agencies are the main targets; but, the scam can also affect any household-name brand that stores personal information for a subscriber, client or customer base on its Web site.

How to keep your customers and your brand as safe as possible?

Develop a rapid-response, multi-channel strategy to minimize the damage, both to your customers and to your own brand. (Keep reading to see what eBay does to help users thwart identity-theft attempts.)

You don't have to wait for an anonymous scammer living halfway around the world to find you, either. A disgruntled employee with access to a recent subscriber or customer list can do as much damage -- maybe more.

The more your customers love and trust you, the more likely they might believe an official-looking email asking them to re-enter or verify credit-card and bank accounts, passwords, even Social Security numbers at a Web site that looks a lot like yours.

The good news is that a whole anti-phishing movement has sprung up since the first scams surfaced in early 2003. ISPs, Internet companies and the U.S. government are mobilizing an all-out attack on several fronts, including education, technology and shared information.

Advanced email technology that verifies a sender's identity will probably be the only reliable way to thwart phishing. Until it becomes an industry standard, education and awareness are your best weapons.

Baiting the Hook

Phishers get their victim lists the way spammers do: buying, harvesting or stealing millions of email addresses. Somewhere in those millions are lots of people who pay AOL or EarthLink to host their Internet access, buy and sell on eBay, or have a Fleet or Citibank credit card.

Then, they get a domain name that's one or two characters off from a legitimate one. They lift logos and create a Web site that looks just like the real one, and send out authentic-looking emails, in text or HTML, warning users to verify information or risk losing a service.

Early sites and emails were pretty crude renditions. Today, many are almost undetectable. Typos can still give it away; one recent email's subject line said, "Citibiank ONLINE Veerification."

As with spamming, just a few responses can give a phisher all the information he needs to deplete bank accounts and ruin credit and lives.

Are You Getting Phished?

Most companies find out when a customer or subscriber calls about a suspicious email or if one goes to special email addresses set up to catch spam and viruses.

If it happens to you -- better yet, before it happens -- you must act fast. Post a message on your Web site, contact the ISPs involved and federal law enforcement (number below) and alert all customer-contact people.

What you shouldn't do: Send out an email message to your house list warning people not to respond to emails asking for sensitive personal information.

"Unless an email is digitally signed, your customers have no way of knowing that the email message was not spoofed or forged," said Dan Maier of the Anti-Phishing Work Group, an industry group working to educate email users on phishing scams and to develop effective countermeasures.

eBay's Answer: Education, Technology

The Internet's top auction site is a juicy phishing target, attracting 104 of the 282 attacks reported in February 2004.

It also has developed one of the most comprehensive defenses against phishing (or "spoofing," another term for the scam and the one eBay uses), using both real-world and online channels to warn and educate users ("community members"), working with law enforcement to catch scammers and making it easy to report suspected spoof emails.

When a community member reports a spoof, the company investigates it, works with the corresponding ISP to get the site shut down, and adds the site to an internal blacklist. It also has worked with federal law enforcement, most recently in a Secret Service case involving Romanian spammers.

Last fall, the company opened a comprehensive online security center, which includes a tutorial on spotting and reporting suspect email and Web sites.

It also recently launched its new eBay Toolbar (PC only), which flashes red when a user wanders onto a blacklisted Web site and prompts a pop-up box if the user is about to enter an eBay password on a non-eBay site.

In-person "eBay University" seminars also include anti-spoofing information.

"We see more and more people sending in emails that are spoofs, which is a good sign," eBay representative Hani Durzy said. "We're seeing more discussion on our chat boards, where members will educate each other. They'll post copies of emails and ask if they're legitimate. There's a real sense of community vigilance."

Five Steps to Fight Back

Set up a pre-emptive strike force with at least one rep from IT, corporate communications, Web site design, customer service, and the email team. You'll need to develop a policy or procedures for tracking and dealing with spoofs or phishing attacks, before your need it.

This list of tactics is based on what other companies have used to battle phishing attacks:

1. Post a prominent notice at your Web site, warning recipients not to respond to suspicious emails or click on links. Some sites use pop-up boxes with a warning, a link to a reporting site and instructions.

2. Set up a dedicated, easy-to-remember email address where recipients can sent suspect emails. Include that address on billing statements or other paper communications so that customers can trust it comes from you and not a scammer. Tell people how to report emails with full Internet headers so that you can trace the email as closely as possible, even though some of the information probably is forged.

3. Notify your IT staff to begin the investigation, and alert your email broadcast vendor, the sending ISP and the site host, to try to get the scammer's site shut down.

4. Train all call-center and customer-contact people in what to tell callers who report suspect email and how to pass it on for investigation. Or, designate one or two people in your organization to handle all calls and media questions.

5. In the United States, report the scam to the Internet Fraud Complaint Center (link to site below). This is a joint agency of the Federal Bureau of Investigation and the National White Collar Crime Center, or report it online.

Useful links related to this article:

1. Samples of a phishing email to defraud FleetBank customers, sent March 30th, plus Fleet's excellent on-site warnings to customers:
http://www.marketingsherpa.com/fleet/ad.html

2. eBay's Security Center spoof tutorial:
http://pages.ebay.com/education/spooftutorial/

3. Anti-Phishing Working Group (free basic membership; participation membership starts at $250). Whitepapers, reports, latest news, statistics:
http://www.antiphishing.org/

4. Internet Fraud Complaint Center
http://www1.ifccfbi.gov/index.asp


~~~~~~~~~~~