The worldwide web can be a nasty neighbourhood, and criminals will do anything to compromise your clients’ data, especially if it doesn’t involve directly hacking into your systems. “Phishing,” a problem that first emerged in its modern form in 2001, relies on a combination of gullibility and technical wizardry to fool users into giving up their account information.

In a typical phishing scam, the perpetrator sets up a fake Web site that looks similar or identical to a legitimate one run by a brand name financial institution or e-commerce provider. For example, we’ll call the target Bank X.

The scammer sends out a torrent of e-mails supposedly from Bank X in the hope that some of them will reach Bank X’s customers. The e-mail will typically contain a message designed to panic customers. It could suggest that their account security may have been compromised, and ask them for their account information to verify their identity. Or it may ask customers to confirm transactions that they didn’t authorize, thus raising their concerns. The mail will contain a link to the fraudulent Web site, and the customer will be asked to follow it. That is where the information is harvested.

“You click on the link, and it looks like the bank’s Web page,” says John Hill, a security evangelist at Internet security provider McAfee Inc. of Santa Clara, Calif. “It’s an exact duplicate of the original.

“We’ve seen a lot of situations recently,” he adds, “in which customers are being sent phishing e-mails targeting their local banks.”

Once the criminals have the information, they can use it to access the real account and transfer the funds. And if, as is common online, that customer uses the same user name and password for different accounts and services, the criminals will have access to those accounts as well. No wonder so many phishers are joining the party.

“We’ve seen this for five or six years,” says Maura Drew-Lytle, spokeswoman for the Canadian Bankers Association in Toronto. Early e-mails were full of grammatical errors and spelling mistakes, but, she says, “They’re now even using logos. They seem more legitimate.”

It’s not surprising that phishing has appeared on the CBA’s radar. Phishing scammers are heavily attracted to financial services companies because of the potentially lucrative spoils in victims’ accounts. About 83% of all phishing attacks target the customers of financial services institutions, according to Symantec Corp. a Cupertino, Calif.-based computer security company.

The technique is becoming so commonplace today that automated phishing tool kits have appeared that allow criminals to adopt a “phish by numbers” approach, creating phishing campaigns using simple menu-based software that will do the behind-the-scenes grunt work automatically.

The customers of several Canadian financial services institutions have been hit by phishing attacks recently. For instance, Toronto-based TD Canada Trust was targeted this past July, with an e-mail warning customers that it was obligatory to enter their EasyWeb online banking information on a site that turned out to be fraudulent. And another phishing campaign targeted customers of Beirut-based Lebanese Canadian Bank, which has a Montreal office, according to a January report from WebSense Inc., a San Diego, Calif.-based online security firm.

The computing and financial services industries have done a relatively good job of educating customers, and the advice they give customers is straightforward: never trust an e-mail from your bank asking for financial information. Most banks won’t ask for it that way. Also, type the address of the bank’s Web site into the address bar directly, rather than following a link. And install an anti-phishing toolbar or use a browser that already includes one.

But the problem is that some customers simply won’t listen, and their activities are largely beyond their financial services institution’s control. As a result, there are several cases of clients of Canadian investment dealers falling afoul of phishing attacks, says Alex Popovic, vice president of enforcement at Toronto-based Investment Dealers’ Association of Canada, although the trend is not as prevalent among IDA firms as it has been in consumer banking.

“We saw our first intrusion in August 2006,” he says.

$4.8 MILLION SWINDLED

There were just four intrusions that year, but the number grew to 56 in 2007. So far this year, the number of intrusions has fallen dramatically. But in 2006 and 2007, phishers swindled the Canadian investment community out of $4.8 million, Popovic says. And that’s still far fewer phishing attacks than customers suffer in other parts of the financial services sector.

@page_break@Popovic says the relatively small number of phishing incidents among Canadian investment dealers is largely the result of the difficulty of extricating funds from accounts. In the U.S,, it is relatively easy to withdraw funds from an account, he says. In Canada, regulations require investment dealers to confirm requests for withdrawals made via a Web site. This makes things more complicated for phishing scammers in Canada.

“The individual will be part of a larger conspiracy,” he says, “either to manipulate the price of a stock or to buy stock at lower prices and then sell it to these clients. The clients buy it at a higher price.”

Tactics like these usually include the use of nominees, to make detection by investigators more difficult.

In any case, it doesn’t pay for financial services companies to be too sanguine about the threat of phishing re-emerging, especially with new tactics on the horizon.

“Spearphishing” — a process in which criminals research individual victims more closely and send e-mails containing much more personal information — is a far more convincing process that is likely to work with a greater number of victims. Such attacks typically target high net-worth individuals, making holders of investment accounts a more common target.

With cyber-criminals always looking for new ways to siphon cash from victims over the Internet, financial services firms should be vigilant about potential threats. IE