Symantec Corp. is expected to announce on Monday a new service to help financial institutions fight phishing attacks and online fraud.
Phishing has become nearly ubiquitous, as fraudsters develop more sophisticated ways to trick people out of their confidential information, such as account numbers, passwords, and social security numbers. According to the Anti-Phishing Working Group, the number of unique phishing attacks rose from 116 in December 2003 to 1,422 in June—a 12-fold increase in six months. Moreover, these attacks are expensive; Gartner Research estimates that phishing schemes alone have cost banks $1.3 billion.
The onslaught of phishing attacks has reduced customer confidence in online banking as well, according to Kim Legelis, director of financial services industry solutions for Symantec. Legelis said that phishing attacks have caused 35.2 percent of online banking customers to definitely change their behavior, while 45.2 percent have changed some behavior. "Thats a significant percentage of online customers," Legelis said. "We feel we have an obligation to put our significant resources to bear to try to address this problem."
Symantecs new service offering "really helps banks with their pain points," Legelis said. At the heart of the package, dubbed the Symantec Online Fraud Management Solution, is fraud blocking and filtering. "Our belief is that if a banks customers dont get the bait, theyll never become victims of fraud," said Legelis. "One of our objectives is to prevent consumers from ever getting fraudulent e-mails that appear to be from their financial institution." The new service has a method for filtering out phishing attacks as theyre sent.
The filters reside with the ISP, and prevent fraudulent e-mails from getting out. According to Symantec, nine of the top 12 ISPs in the United States are customers, and the company deploys to them in real time filters covering a wide range of threats. These filters will prevent e-mails that have been identified as fraud from getting into customers inboxes, Legelis said.
When a bank becomes a customer of Symantec fraud prevention, they provide a list of ISPs and legitimate Web addresses. Symantec has millions of decoy e-mail addresses that they monitor using honey-pot technology. When fraudsters send phishing e-mails to Symantecs decoy addresses, both technology and human assessment are put to work to identify an attack. Within 5-10 minutes of an e-mail being sent, Symantec deploys a filter that prevents those messages from getting through gateways.
Simultaneously, the financial institution is notified that a fraud attack is being perpetrated in their brand name so that they can take action to protect their customers and attempt to shut down the source of the spoofed Web site contained in the e-mail. Symantec provides them with data to pursue cease-and-desist orders. Most financial institutions have incident-response capabilities in place that spring to action when they get an alert.
There are obvious customer service fallouts from fraud. Besides the financial losses for consumers and financial institutions, banks have to beef up their customer support to deal with the attacks. Mitigating technology and services are one route to limiting the damage. "We want to prevent customers from getting the bait, because the baits getting better and better," asserted Legelis.
Symantec can also provide customer education and assessment capabilities. "Were the world leader in desktop security for consumers so we are making those resources available to financial institutions so that they can proactively provide education to their consumers about identity theft, fraud, and other behaviors they can use to protect themselves," Legelis said.
Symantecs consulting services are designed to help financial institutions assess their online fraud risk profile. The goal is to show the institution how to adapt people and processes internally. The pricing structure for the Symantec Online Fraud Management Solution is based on the number of registered online users, Legelis said. For large financial institutions, its an annual service, billed monthly, and is in the range of a few cents per user per month.