Nathan Kully
Nathan Kully is an employee at Essential Security Software, Inc., a provider of email and document security solutions for small and enterprise business professionals, in Bellevue, WA. He is also a contributing editor to The Nathan is currently a student at Cornell University
Nathan Kully has written 1 articles for SB Informer.
View all articles by Nathan Kully...

Reeling in Account Numbers

Phishing in Banking and Finance

Nathan Kully

June 25, 2007

1.0/5.0 (1 votes total)

Many assets within your personal financial life have become digital over the past 5 years such as stock portfolios, mortgages, and bank accounts.  Your ability to view, change, and pay bills via your online bank account from the comforts of your home has made life more convenient for consumers.

Online banking has become popular because of the convenience it provides patrons, especially when it comes to bill paying and gauging available funds.  However, this new system has lead to many serious security concerns because of reliance that customers have to their online accounts. Innately trusting every communication with a bank logo can eventually lead people online to make grave security mistakes.  The prominence of phishing emails has eclipsed the consumers’ ability to stay current on the latest scams.

The growth of online banking
Online banking became popular in the early years of the 21st century and has continued to grow sizably within the U.S.  According to Forrester Research, from 2002 to 2005 the number of households that bank online has grown from 29% of households to 51% (1).  

Experts are projecting a steady increase for the next 4-5 years with it reaching over 75% of Americans, or nearly 72 million households in 2011.  Projections show that online accounts will reach nearly the entire U.S. public within 5-10 years.  It will be imperative that banks provide their patrons with information on protecting themselves from phishing attacks or else they and their customers could be very liable to fraud.  

Baiting – How phishing works

Phishing works when a person imitates a bank by sending emails to people's personal accounts that look identical to ones that banks would actually send out.  Emails are typically marked as "urgent" requiring attention for some issue surrounding your account.  Phishers will ask for a customer’s personal information such as their login, password or Social Security Number.  This is an effective way for cyber-criminals to obtain your personal financial information (PFI) because there are few ways to prevent the phishing emails from getting delivered to your inbox. Once a recipient reads and clicks on the email's links, the responsibility is solely on the bank patron.  

Once the phisher has this information they are free to use it at their will. You now have to personally identify the problem and contact the bank, financial firm or credit card company alerting them of the problem. A financial consumer's lack of knowledge in the many ways phishers lure their victims contributes to the growth in ID theft and fraud. Consumers must pay attention to all details surrounding legitimate and forged bank communication.

A study conducted on why phishing works so well concluded that in 2003 more than two million people gave information to false sites, mostly because of three primary factors within the field:

1.    Lack of knowledge consumers have with regards to their computer system and internet browsers: Faulty URL's and a lack of security indicators on the browser are overlooked, when in reality are easy to identify.

2.    Stolen Images: Visual deception is a tactic phishing schemes use and have gotten very good at it from year to year.  Fraudulent "PayPal"  sites even go to the trouble of usurping images from the legitimate PayPal website, going to the trouble of even using the same image dimensions and "alt tags"(2). In some cases, phishing sites have successfully mimicked legitimate pages as well as creating emails perfectly identical to those created by the financial firm.  

3.    Not looking at the details: When users, even experienced financial consumers, do not pay complete attention to small details of emails and websites such as a lack of a padlock to insure security or slightly altered logos without the copyright sign; can often take the phisher's bait.   

Most people bite the phishing bait hook, line and sinker
A 2006 Harvard/Berkeley study on the effectiveness of hoax sites showed that financial consumers today must develop a proficiency in spotting a scam from a seemingly genuine looking phony website and/or email.  One exercise in the study showed that when significant time and effort is placed into developing fake sites, people had a hard time telling if a site was fake or not.  The Harvard/Berkeley study showed that up to 91% of people incorrectly identified the well-designed imposter as a phony site, even when given significant time monitoring it.  

Can banks successfully protect you from phishing?

While it's difficult on consumers to stay up-to-date on phishing schemes, the burden is even more difficult for banks.  

"Banks constantly market their zero liability programs, which aim to convince consumers that they stand to lose nothing from most cases of identity theft. Financial companies often complain that media reports exaggerate the risks to consumers after reports of lost or stolen credit card databases."(3)

These zero liability programs are not in fact not zero liability anymore because of the vast quantity of phishers baiting consumers on the web.  

Phishers' persistent web tactics

Phishers will do whatever it takes to exploit people. Phishers tend to target two types of people:

•    The inexperienced who are unaware of the phishing
•    The busy/on-the-go people who are too active to thoroughly examine their emails.

Recent strategies, aside from copying nearly all distinctive aspects of bank's pages is to have an HTML address that appears "legitimate enough" to appear reasonable. An example of this is to send a Bank of America customer a link to, which is not their actual address. (4)

An extreme example that was used involved banks with a "W" in their name such as Washington Mutual.  Phishers use the lettering to their advantage by substituting the W with two V's so it appears as "VVashington Mutual."(5)  On an 8 point font in the address bar, could you normally tell something as minute as this even with thorough investigation of the page? Letter differentiation is just one in the many tools phishers use to gain access to your financial information.

Phishers' persistent email tactics
The idea of email phishing has gone past banks to other services that seem reliable from a consumer stand point.  In May 2007 there were two bogus emails sent out by phishers from two trust-worthy organizations, the Better Business Bureau (the BBB) and the Internal Revenue Service (IRS).  These types of emails are even worse than bogus banking ones because it's difficult to doubt something coming from historically trusted sources.

With these recent phishing problems and the further deception used by criminals, here is a brief list of ways to determine if an email from your bank is in fact legitimate before you go to a counterfeit site and enter your login/password information:

•    If you are notified about needing to log onto your account for any such purpose, go to the bank's homepage and log on that way
•    Most banks have a fraud section on their homepage, check to see if there are any recent instances of phishing listed
•    Fraud pages for banks should tell you how they handle account troubles, and if there’s nothing about direct emailing, you can assume the email is fraud
•    Call the bank to speak with a representative to ask if there are any such issues with your account

Our inboxes are becoming exceptionally dangerous by the day with the amount of phishing in the digital world.  There is no way to stop these horrible life-ruining messages, so simply take extreme precaution before opening suspicious emails.  Just imagine all of your hard-earned cash along with your life savings instantly gone because of a simple mistake.

- - - - - -
End Notes

1.    Graeber, Catherine. "US Online Banking: Five-Year Forecast." Forrester Research 19 Mar 2007 1-10. 04 Jun 2007.
2.    Alt tags are a bit of HTML code which lives with the image that when moused over gives a description of what the picture is
3    Sullivan, Bob. "Double Trouble for ID Theft Victim." The Red Tape Chronicles. 08 May 2007. MSNBC. 11 Jun 2007 <>.
4.    Bank of America’s legitimate web addresses are or
5.    Dhamija, R., Tygar, J.D., and Hearst, M. 2006. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montreal, Quebec, Canada, April 22 - 28, 2006). New York: ACM Press, 2006.


Add comment Add comment (Comments: 0)  



Related Resources

Other Resources