E-MAIL PHISHERS ARE honing their skills in ways that indicate at least some of them think like the best direct marketers, says James Christiansen, Experian’s chief information security officer.
By all accounts, phishing — fraudulent e-mails that appear to come from legitimate financial services companies — is getting more rampant by the month.
According to the Anti-Phishing Working Group (APWG) — a 2,500-member global association of banks, law enforcement and other organizations aimed at combating the phenomenon — an eye-popping 23,670 phishing Web sites were used to commit identity theft, fraud and other malicious activity in July alone, the latest month for which figures were available. Also, this is an astronomical rise from the 14,135 sites the group reported a year earlier.
As the phenomenon grows, phishers’ tactics are evolving rapidly in an effort to broaden their targets. And those tactics have direct marketing written all over them.
For example, Christiansen says, phishers increasingly are using geographic targeting, or geotargeting, to find likely dupes.
Traditionally, phishers used only the most recognizable brands, such as eBay, in their e-mail scams because those blasts could be sent far and wide and still stand a decent chance of reaching someone who had an actual account with the company.
However, with so much phishing relying on the big names, those waters are starting to get phished out, so to speak, according to Christiansen.
“They’re still targeting the big guys, but they’re not as effective these days,” he says.
As a result, would-be identity thieves have been focusing on customers of small, local institutions like credit unions. To get e-mail addresses of people who might have accounts at these smaller financial outfits, phishers will harvest the addresses of, say, the university whose professors belong to the targeted credit union.
Spam lists with geographic information attached to the addresses also are readily available, Christiansen says. Because of this, phishers have been able to greatly expand the number of brands they use to try to hook people into revealing their account numbers.
“Three years ago, and maybe even two, 90% of the phishing we saw targeted four companies,” Christiansen says. “Now we’re up to 154 just in [July].” That figure also is up from 71 brands in July 2005 (see graph). Still, the study claims that only 15 brands comprised 80% of phishing campaigns this past July.
At the same time phishers are targeting geographically, they’re using new direct marketing-related ruses aimed at getting people to fork over their account information.
For example, the APWG says that on Aug. 29 a phishing attack went out to customers of the Iowa Corporate Central Credit Union offering responders $20 to take a customer satisfaction survey.
“In an effort to continually measure the service quality given to Iowa Corporate members we send out random surveys asking for valuable feedback on how we are doing and how we can improve,” the phishing e-mail said. Responders would be asked to “verify” their account information.
On Aug. 25, a similar phishing attempt offered customers of the Michigan Schools and Government Credit Union Bank a chance to win $100 for participating in a poll.
And in another tactic roughly matching those their law-abiding DM counterparts use, phishers will try to capitalize on life-changing events, such as when it’s time to renew company health coverage, according to Christiansen.
Phishers employ the three most powerful DM tools: good old fear, greed and urgency.
“They’ll often say ‘Do it now or your account’s deactivated,’” Christiansen claims. “Then there’s greed, as in ‘You’ve just won $250,’ so you’re going to hurry to put in your account information to get that $250.”
Unfortunately, he adds, “this is direct marketing at its best.”