First Author's Name: N. P. Singh, PhD
First Author's Title/Affiliation: Professor, Management Development Institute, Gurgaon, India
Postal Address: Mehrauli Road, Sukhrali, Gurgaon -122001, India
Author's Personal/Organizational Website: www.mdi.ac.in
Email: knpsingh(at) mdi.ac.in.
Brief Biographic Description: Dr. N.P. Singh is a Professor of Information Technology Management at Management Development Institute, Gurgaon, India His current research interests are Business Intelligence, Data Warehouse, Data Mining, Enterprise Systems, Application of information Systems in Banking & E-commerce. He has published sixty plus research papers in prestigious journals. He is working on consulting assignments in relation to evaluation of MIS projects, E-governance Projects, Corporate strategy etc.
Visit for more related articles at Journal of Internet Banking and Commerce
Hi-tech fraudsters have urbanized a new way of tricking on line banking customers. One such most well known and fast growing technique is phishing. Latest in phishing is application of Trojan horse program. Trojan horse" program insinuates itself into a user's computer via an email and directs the user of the system to website which is exactly similar to financial institution web site. Crooks pick up passwords and account numbers as soon as customer logon to these sites. As it evident from table 1 phishing causes maximum loss to the customers/ institution in comparison to other similar techniques. Keeping in view, the serious threats of phishing attacks author analyzed the trends of major activities of the phishing across globe specifically in the banking sector. In addition, author analyzed the reasons for increase in fishng activities, types of phishing techniques, and process of phishing. Further author has presented recent cases of phishing specifically in banking/ financial sector. Towards the end it author has studied the measures to combat the fishing in online banking.
Online Frauds, Phishing Techniques, Anti-phishing tools, Dual factor
Online banking is designed mainly to achieve two objectives. First increased convenience for the consumer and second reducing the cost of operations to the banks. Numerous benefits such as lower fee to go online, higher interest rates, online viewing of account details and statement information, pay bills, transfer money between accounts, scheduling automatic periodic payments such as rent or loan payments, applying for accounts or loans and managing loyalty points to achieve first objective. In the process banks are able to reduce cost of operations to some extent. But steep rise in online banking crimes had undermined its success as few bank customers want to return to boring bank queues for secure transactions. Opponents of online banking say that online banking involved heavy risk to the consumers (86% of all attacks are directed at the home users’ agianst 14% at the finanacial houses, Zvomuya (2007)) and industry has rushed to get online without appropriately confronting issues that could compromise its integrity.
The common online banking frauds are (i) Hoax emails (A hoax1 is an attempt to trick an audience into believing that something false is real), (ii) Computer viruses (A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user), (iii) spyware2 ( a computer software that is installed surreptitiously on user computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent), (iv) Email employment scams / Internet Job Scams ( people are lured by the scammers to visit some websites such as social security statement website3 with a view to steal your information with respect to social security number etc), (v) Identity theft (Identity theft4 is a crime in which an imposter obtains key pieces of personal information, such as Social Security or driver's license numbers, in order to impersonate someone else), (vi) Phishing (explained in the next sections), (vii) Vishing (a variant of phishing), and (viii) Eavesdropping5 (Unauthorized, real-time access to intelligence) when using a wireless connection.
In the recent past, according to the UK payments association Apacs6, the huge rise in online banking fraud coincides with an upsurge in the number of phishing scams being run on the web and demonstrates the importance of educating bank customers about this type of crime. The similar concern is raised by Financial Services Autority (FSA), UK reglator. FSA recoreded 8.000% increase in online banking frauds and identified phishing as major instrument (OUTLAW News (2006)). Jaques (2006) reported that a quarters of Britons have disxclosed their PIN to some one else, exposing themselves to risk of fraud. Another facts revealved by users that they use similar PIN for all their on average four cards. Young (2006) mentioned that online bank fraud losses rose by 55 per cent from £14.5m in the first six months of 2005 to £22.5m in the same period in 2006 as per the release of Apacs and phishing scams are major contributor. Miller (2007) identified trends of phishing in 2006. He pointed out six innovations of phising. These are (i) Plug and Play Phishing Networks (phishers perfected techniques to rapidly deploy entire networks of phishing sites on cracked web servers. The software used are known as Rockphish and R11) (ii) Phlashing (Flash-based phishing sites) (Attackers have begun using Flash animation to create spoof sites as a strategy to defeat automated anti-phishing services), (iii) Two-factor Authentication (able to defeat two-factor authentication tactics using a man-in-the-middle attack), (iv) Hacked Bank Sites (Several attacks in 2006 saw phishers hack into bank web servers and use them in attacks), (v) Continued XSS Vulnerabilities (exploiting financial institutions web site vulnerability to attacks using cross-site scripting (XSS), (vi) MySpace Phishing (targeting social networks). With the growth of phishing customers are realizing that online transactions in particaular e-commerce transactions are not safe. Phishing is becoming so widespread, its variations are taking on cute names. In the initial years it used to be limited to the largest banks, but a new twist, called 'puddle phishing' has the fraudsters going after the customers of regional banks or credit unions. Phishing which targets small groups or individual companies is known as 'spear phishing'. In addition, vishing, pharming, man-in-the-middle attacks variants of phisning are also becoming common to the victms.
This article is an attempt to analyse various facets of phishing with the help of secondary data available on internet and in the literature. Various views of phishing are explained in the definitions of phishing presented in the next section of the article. The four major phishing techniques are briefed in section 3. The main reasons for increase in fishng activities are detiled in section 4. Recent statistics/ cases of phishing in general and phishing for banking frauds are detailed in section 5 of this article. Short duration historical analysis of Indian financila institutions is detailed in section 6. Towards the end, section 7 incudes the various measures to combat the phishing in online banking followed by concluding remarks. The article is based on secondary data mainly collected from the internet or from published reoprt. Conclusions are the result of qualitative analysis in temrs of new development of phishing domain and couter measures by the victims.
It is derived from fishing. Phishing (also called brand spoofing) is a term used for a short of fraud where phishers send out spoof email to a random database to fool the recipient in to divulging personal information like credit cards details, usernames and passwords, that can be used for identity theft. Phishing is one of the most well known and fastest growing scams on the Internet today. The typical phishing scam involves an e-mail that appears as though it came from a reputable and known service institutions or company. The e-mail appears to be legitimate and the actual one. The message generally indicates that, due to problems in the institution (bank in this case) such a database updates, problem occurred in server, security/identity theft concerns, the recipient is required to update personal data such as passwords, bank account information, driver's license numbers, social security numbers, Personal Identification Numbers (PIN), and so forth. The e-mails include warning to the users that failure to immediately provide the updated information will result in suspension or termination of the account etc. Some of explanations of the word in the form of definition are listed in the following:
Definition 17: In computing, phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. eBay and PayPal are two of the most targeted companies, and online banks are also common targets. In computing, phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. eBay and PayPal are two of the most targeted companies, and online banks are also common targets.
Definition 28: The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft
Definition 39: Phishing means sending an e-mail that falsely claims to be from a particular enterprise (like your bank) and asking for sensitive financial information.
Definition 410: Phishing is a type of fraud that is designed to trick individuals into disclosing confidential and financial information for the purpose of identity theft.
Another variant of phishing is Vishing (voice-phishing). It is the practice of sending fraudulent email to consumers that appears to be an email from a local bank, credit union or other financially related web site and contains what appears to be a local phone number. The fraudulent email will appear to inform the consumer of some type of problem with their account and instruct them to dial a local phone number. Consumers who are used to calling automated tellers are being tricked into using their phone keypad to type in vital account numbers, pin numbers, and other financial information into overseas computers (Baker (2007)).
There are mainly three techniques of phishing as mentioned by ITU (2005). However, one more technique is reported by Chawki (2006). These techniques are briefed in the following:
i. Dragnet Method: This method involves the use of spammed emails, bearing falsified corporate identification (e.g., trademarks, logos, and corporate names), that are addressed to a large class of people (e.g., customers of a particular financial institution or members of a particular auction site) to websites or pop-up windows with similarly falsified identification to trigger immediate response.
ii. Rod-and-Reel method: This method targets prospective victims with whom initial contact is already made. Specific prospective victims so defined are targeted with false information to them to prompt their disclosure of personal and financial data.
iii. Lobsterpot Method: It consists of creation of websites similar to legitimate corporate websites which narrowly defined class of victims by phishers. Smaller class of prospective victims identified in advance, but no triggering of victim response. It is enough that the victims mistake the spoofed website as a legitimate and trust worthy site and provides information of personal data.
iv. Gillnet phishing: In gillnet phishing; phishers introduce malicious code into emails and websites. They can, for example misuse browser functionality by injecting hostile content into another site’s pop – up window. Merely by opening a particular email, or browsing a particular website, Internet users may have a Trojan horse introduced into their systems. In some cases, the malicious code will change settings in user’s systems, so that users who want to visit legitimate banking websites will be redirected to a look alike phishing site. In other cases, the malicious code will record user’s keystrokes and passwords when they visit legitimate banking sites, then transmit those data to phishers for later illegal access to users’ financial accounts.
i. The tool such as “Universal man-in-the-middle phishing kit” which automatically creates sophisticated phishing site is available on underground online market places for about $1000. (Evers (2007) & Dunn (2007)).
ii. Availability of key-logging software which can surreptitiously record key-stroking activity and collect computer usernames and passwords. (News (2003).
iii. Customers are lured by fictitious rewards for participating in bogus surveys and handover sensitive account information to phishers (Leyden (2006) and Miller (2006)).
iv. Some of the organizations employ lax password requirements. For example eBay allowed combinations such as user ID of james34231 and a password of james34. The similar combinations are also allowed by Google mail (Goodin (2007)).
v. Another reason for increase in phishing is very high return on investment. According to Lohman (2006) “The return on investment in phishing is phenomenal.” “It costs about $160 to set up a phishing scam to send 10,000,000 emails a month. Even if only 0.001 percent of the emailed people respond, it nets about $125,000.”
Globally, about 30,000 phishing attacks are reported each month, of which over 80% are directed at financial institutions. Statistics presented in table 5 is an ample proof of sharp increase in phishing activities. Phishing attackers have targeted at financial entities such as Citibank, Wells Fargo, Halifax Bank, eBay, and Yahoo as reported by Secure Science Corporation (2003). The details of top 10 brands affected by phishing are presented in table 8 indicates that eBAy and Paypal are favaorite of phisher during the last five years. According to assureconsulting.com11, phishing is an complex and converging security threats facing businesses. The methods used by spammers have become more sophisticated, and spam is now increasingly combined with malware and used as a tool for online fraud or theft, or to propagate malicious code. Assureconsulting.com reported a set of three examples using phishing for financial frauds targetted on financial entities, internet servocice providers, retailers such as Citibank, U.S. Bank, Paypal, Visa, AOL, Nationwide, Chase, MSN, and Yahoo. McAfee12 says that phishing schemes and identity theft will continue to be a problem among the consumer community until further education and widespread acceptance of proactive protection occurs. According to Thomas (2006), the survey by RSA Security reveals that 62 per cent of all phishing scams were aimed at US banks and credit unions, while the number of identity fraud attacks against European and other financial institutions dropped. Table 1 embodies a brief description of few phishing cases as reported in the literature with respect to financial institutions along with general statistics of phishing. These cases includes only those cases wherein amout stolen by phishers is mentioned.
As mentioned earlier phishing is not only confined to the banking institutions but targets other organizations which are involved in e-commerce, mobile commerce and money transfer activities. Few popular cases are described in table 2.
In India there have been several cases of attacks35 on genuine websites. Financial institutions are the main targets of phishers, particularly, private banks. The major incidents are reported about ICICI, HDFC, UTI, and Stat bank of India. Many elderly customers who have just begun using online facilities of the financial institutions are falling prey to phishers. The messages send to customers are similar to as one given in the following which was sent to ICICI customers.
“The mail reads that the ICICI bank is upgrading to a new SSL Server to insulate customers against online Identity Theft and other criminal activities. Users are told to confirm their personal banking information following the link given in the mail. It also warns that if the user does not complete the form, the online bank account will be suspended till further notification36”.
As mentioned in the beginning phishing incidents are increasing around the world in all aspect. May it be number of phishing e-mail reported, number of phishing hosting sites, amount lost in phishing attacks etc. The analysis of these parameters of phishing with respect to India is presented in the following. These facts are about for the year 2005 to 2007.
It is evident from the data presented in table 3 and 4 that India had figured six times/ months among top 10 phishing hosting countries in the 25 months that is from January, 2005 to January, 2007. However percentage contribution is not very high in comparison to leaders USA and China in this domain. In addition specific researches are available with respect to phishing attacks on Indian financial institutions. Kaur (2005) pointed out that over 1,000 cases of phishing are reported in three months-from Dec '04 to March '05 in spite of RBI guidelines on Internet banking which enforces the adoption of internationally accepted state-of-the-art minimum technology standards for access control, encryption/decryption (minimum key length), firewalls, verification of digital signature, and Public Key Infrastructure (PKI). There are lots of investments by banks in security domain. According to the 2005 DQ-IDC Mega Spenders survey, Punjab National Bank topped the investment list. Its web servers are provided with Digital Certificates and are SSL enabled. Customers are forced to change the passwords at periodic intervals and a virtual keyboard feature has been provided for Internet Banking login, whereby the customer uses mouse clicks instead of typing using the keyboard. This minimizes the risk of keyboard grabbing but still many phishing are reported. ‘2005 India Web@work’, a survey conducted by Websense Inc revealed that 32% of employees in India admitted to have given out their confidential data such as credit card numbers and corporate network passwords as a result of phishing attacks and 62% of IT managers believe that a security breach would put their jobs at risk (corporate Bureau (2005)).
Banking sources indicate that besides SBI, three other international banks have informed Computer Emergency Response Team- India (CERT-In) about attempts at phishing during 2006. CERT-In reported that phishing incidents in 2006 were 180 per cent higher than 2005, and that trend has carried through into 2007 (Gold (2007)) and it has reports that 335 sites were targeted in 2006. Incidentally, 256 out of 335 were from the e-commerce segment (Cherian (2007)). Interestingly, CERT-In said it has recorded more consistent phishing incidents in the second half of 2006. The agency said there were close to 30 incidents recorded every month between July to October, 2006, 62 per cent of which involved phishing (against 25 per cent in 2005) and 32 per cent of which involved network scanning (against 30 per cent in 2005).
Kumar (2006) pointed out that it has been six months since the phishing attack on ICICI bank customers became public, and during that period, two more such attacks were reported on customers of financial institutions in India, one of UTI Bank and the other, State Bank of India. He had mentioned, considering that `phishing' was pretty much unheard of in India a year ago, this frequency is something to be concerned about. Paul (2006) reported that in addition to ICICI, UTI, and SBI, the other financial organizations such as IDBI, ICICI Bank Home loans, HSBC, Standard Chartered, ABN personal loans, Bank of India and Kotak-Mahindra too have their phishing sites.
According to statistics presented by Espiner (2007) phishing attacks have outnumbered e-mails infected with viruses and Trojan horse programs during January 2007. Survey37 conducted between January and March 2007 by Websense, Inc., reveals that 57% of the Indian enterprises have received phishing lures during the last one year and over a third of Indian companies (38%) were attacked by spyware. This is based on a sample of 450 Indian CIOs. Ghosh (2007) mentioned that more than 74% of IT managers across India report that their employees have received phishing attacks via email and about 52% say that their PCs have been infected by phishing. RSA Consumer Solutions reported that globally, phishing attacks have grown by 41% in the past 12 months and Phishers could convince up to 5% of recipients to respond. Few cases of phishing of major three banks (State Bank of India (SBI), ICICI, Unit Trust of India (UTI Bank)) of India are given in table 3.
There are many methods to combat bank frauds in general and phishing in particular. In India alert and conscious customers could avoid phishing attacks. Most of the financial institutions are educating their customers of regular basis about phishing websites. In addition to these educative e-mails from the institutions the following three category measures can reduces frauds with phishing. Category I includes measures for customers, category II includes induction of new technology, and last category III includes measures on part of the institutions.
i. Never share your password (Security related information) under any circumstance. (Standard Bank, Zvomuya (2007))
ii. Never click on an e-mail that is purportedly from a bank advising you for updated antivirus software, and which can be downloaded from the bank’s website. (Standard Bank, Zvomuya (2007))
iii. Browse the bank’s notification system on regular basis so that one can see the activities of his/her account. (Standard Bank, Zvomuya (2007)).
iv. When ever one wants to visit the website of the bank, type full URL or web address. It is secure. It will avoid the logon to spoof sites such as http://www.citbank.com for http://www.citibank.com, and www.idbiibank.com for www.idbiibank.com.. (Standard Bank, Zvomuya (2007)).
v. It is not safe to do internet banking in wireless internet environments or at Internet café. (Standard Bank, Zvomuya (2007)). It should be avoided out rightly.
vi. Continuously read the posting of your banker for security updates. For example Zion bank46 postings
vii. Never access Online Banking via a link47. Rather type the address directly into the browser address bar.
i. Use browsers such as Firefox 2, Opera and Internet Explorer 7 (all latest versions) which include phishing shields (Kurup (2007)) and has better anti-fraud features in comparison to others (Matthew (2006)).
ii. Banks must implement anti-phishing programs as implemented by HSBC in Hong Kong48. Security firms such as Symantec and McAfee are marketing anti-phishing software’s. Bank must install security software’s from Symantec Corp and McAfee Inc49. There are many more companies which either developing or marketing anti-phishing solutions. These solutions can safegarud banks /financial institutions against fishing. Few of these solutions providers are mentioned in the following for the sake of examples.
a. NTT Comware50 said Tuesday it has begun marketing PHISHCUT, a solution method for preventing phishing.
b. India’s premier customized software solutions company, HQ, New Delhi51 partnered with Cloudmark Inc., to provide ant-spam and anti-phishing products/ solutions to Indian SMB’s and ISPs.
c. Aladdin Knowledge Systems52 , the leader in Software DRM, USB-based authentication, and secure Web gateways, today announced that Mumbai-based SecureSynergy Pvt Ltd is the first managed security service provider in India to deploy the Aladdin eSafe SecureSurfing solution for its customers.
d. Sendmail53, leading global provider of trusted messaging has launched Domain Keys Identified Mail (DKIM) authentication technology in the company’s Sentrion security appliances, and also in the commercial Sendmail Switch and Open Source mail servers. Sendmail’s latest announcement concurs with the Internet Engineering Task Force (IETF) approval of DKIM as an Internet Standard. By verifying incoming messages organizations can remove targeted spoofing and phishing threats, cut on the number of false positives and remove identifiable spam.
e. Replace username and password login with stronger Hardware-based authentication solutions that are still current and viable as suggested by majority of customers in USA (Bennett (2006)). Similar suggestions are reported by the online survey, conducted in December 2006 by RSA. They also suggested risk based authentication. The sample size was 1,678 adults from eight countries including India (Pradhan (2007)). In fact Bendigo Bank is the first Australian banks to offer customers strong authentication protection for Internet banking using password generating tokens, in a move to thwart Internet banking fraudsters (Dinham (2004)). The cost of the tokens is AU$16.50 each.
iii. Fast-moving, adaptable threats require equally agile, multi-faceted security responses. There are different technologies that provide multi-factor authentication, and banks must seriously consider the implications of each in terms of cost, ease of deployment and potential impact on usability (Bennett (2006)).
iv. Introduction of electronic signatures to all email correspondence with its customers to curb phishing as it was done by German bank Postbank (Libbenga (2006)).
v. Password shall be replaced with can be replaced with biometric technology.
i. Transfer malicious mails to government agencies54, which take care of such e-mails. For examples- email@example.com, firstname.lastname@example.org in USA. (Hall (2006), Indian Computer Emergency Response Team (CERT-In)
ii. Citibank recently reduced the amount of money it allows customers to transfer out of checking accounts in response to the phishing epidemic. Daily limits on the institution's Global Transfers program, which allows customers to move money to any Citibank account for $5 or $10 per transfer, were reduced to $500 per day and $1,000 per week in October. This practice can be followed by others.
iii. Minimize or eliminate the risks by instead using a virtual card with a virtual number for one-time use, with a specified limit and validity period—in many ways, this option is even safer than using a physical credit card in the real world. I’ve found that HDFC Bank’s NetSafe55 facility serves this purpose quite adequately, and in the rare event that your virtual card does get misused, your liability, if any, would be a very limited one indeed.
iv. Banks should monitor every online transaction—not just log-in, but throughout the entire online banking session and telephone banking sessions (Bennett (2006) and (Pradhan (2007)).
In India, ICICI bank had adopted a dual factor authentication practice and remodeled its debt cards which now have 8X2 grid of numbers on the back of their debit cards. HDFC bank adopted a three pronged approach to tackle phishing (i) continuous education of customers about online transactions security, (ii) setting up a robust incident response process to render attacks harmless, (iii) implementing state of art technology solutions to thwart phishing attacks.
There is a sharp rise in phishing statistics as it evident from the values in various tables. May it be number of hosting of phishing sites, or mails received about phishing, monetary loss either of the customers or of organizations. The main reason for losses/ success of frauds is ignorance on part of customer as well as service providers (bankers, ISPs, retailers etc). It requires stringent methods of educating customers and regular review of security related information of individual customers. For example:
i. Customer should not be allowed to be the customer of financial institutions unless they read security related concern properly and provide a proof to the institutions that they are aware of security concerns. This could be done by pushing terms and conditions of being customer in pieces and unless customer runs though all pieces of information his/her application should not be accepted for being a customer. It will certainly act as an stumbling block to have more customer but new innovative methods can be devised so that customer did feel heat of these measures.
ii. Let us take an example of ICICIdirect.com web sites in India. It has policy, which forces its clients changing of password after 15 days. It start reminding the customer that within next two days customer had to change password otherwise transactions will not be allowed. It is being followed at ICICIdirect.com religiously. But at the same time if one operate his/her saving bank account with ICICI Bank, he/she can continue with his/her password, which is only of four digits for ever. The question is why not the same policy for saving bank or any other account of the bank.
iii. There are many cases reported in the past with reference to inadequate characters of password in terms of sequencing and number. The institutions may devise a policy of secure password in terms of sequencing the characters or characters it self. In addition, policy must take care of size of the security related data. In addition, institution may analyze the pass word data base on regular interval for inadequacy and it may be communicated to the customers on real time basis.
iv. International fund/ large fund transfers should not be on real time basis. As a part of term and conditions, customers must be informed before the transfer take place. Duration of execution of the transaction may be 24 hours/36 hours or as deemed fit by the financial institution.
v. The information on incidents of phishing or similar serious crime should be made available to the citizens as early as possible and also out come of judicial process. In addition, new regulations must be made available through electronic means to all the citizens/ customers.
vi. Many organizations (Software developers or implementers) have developed anti-phishing solutions, the usage of these security tools may be encouraged through regulations. In addition, small organizations should be supported by states in making their electronic transactions secure.
vii. There is a need for better, easy to use and cost effective methods of authentication of customer transactions.
viii. To fight phishing, institutions must adopt a multi-pronged approach with minimum four components. (a) usage and development of new technologies to counter frauds, (b) educating customers with riders every where, (c) helping law reinforcement agency by way of providing information of the incidents, and (d) proper and regular stringent audit of online systems.
36 http://www.mwti.net/products/pdfs/theitshield_ICICI%20Bank%20Phishing%20Scam% 20Targets% 20Customers%20In%20India.pdf
39 http://infotech.indiatimes.com/Enterprise/Be_web_wary_Phishing_hits_SBI_3_other_banks_/ articleshow/461978.cms
40 http://www.realinformationsecurity.com/general/rbi-seeks-data-from-banks-on-frauds.html (2007, March)