Friday, August 28, 2009

Satyam was India Inc’s biggest fraud — and as long as the recession is underway, it won't be the last

IF IT IS A FRAUD TO CONCEAL FRAUD,

consider this a sincere effort to shed some light. With 697 cases of fraud filed under the Companies Act and 70 complaints logged in with Indian Penal Code, corporate India is under a cloud. The slowdown has only turned the canter to a trot, with more and more cases of fraud being reported as companies tighten their purse strings and resort to cutting costs. The 26/11 terror strikes in South Mumbai, the Mecca of corporate India, coupled with the infamous Satyam saga at the beginning of this year were the other catalysts that have woken up India Inc. from its growth slumber and take notice of systemic faults. There are cracks in the wall and a whole new breed of forensic experts, detectives and lawyers are now out there to fill the gaps.
Move over Frank Abagnale Jr. (the infamous US impostor and the inspiration behind Catch Me If You Can), Nick Leeson and Charles Ponzi (father of the Ponzi scheme). Even Wall Street fund operator Bernie Madoff's defrauding investors to the tune of $65 billion looks distant compared to the enemy within. The overstating of financial accounts by former Satyam chairman and promoter Ramalinga Raju has sent shockwaves across India Inc. and zapped the rest of the world. He has admitted to overstating the IT firm's cash reserves to the tune of $1.5 billion and the tech-savvy Raju family made full use of technology to conceal the fraud. In its turn, the Serious Fraud Investigating Office (SFIO) of the Ministry of Company Affairs (MCA) got the mandate to investigate the Satyam case on January 13 this year. "It's the most difficult case we have received till date and nearly 30-35 people worked on it daily for almost 24 hours for 90 days at a stretch before submitting the report to MCA on April 13," admits SK Sharma, Jt. Director, SFIO. "It took time and resources to crack Satyam as the Rajus used technology to the hilt."
Sharma doesn't stop there. He points to a spike in promoter-related frauds corroborated by many others. "Promoters mostly put public or the bank's money into projects and try to jack up its cost…they use the margin for personal gains," he claims. Forensic experts couldn't agree more. "Windowdressing of accounts is where the big play happens because if the company's share price can be jacked up, so will its valuations, and promoters and the top management benefit the most," says Deepankar Sanwalka, Executive Director, Advisory Head-Forensic Services, KPMG, who now heads a team of 350 people having started out solo 14 years ago. In the value pie, Sanwalka claims that window-dressing of accounts contributes to as much as 50% of the total frauds committed in the country.

DOWNTURNS USUALLY SEE A SPIKE IN FRAUDS. Why?

Because of three conditions that a downturn presents, explains criminologist Dr Donald Cressey. The perpetrators experience incentive or pressure to engage in misconduct; there is an opportunity to commit frauds; and perpetrators are often able to rationalise or justify their actions. For some, desperate times call for desperate measures. "It's during the low tide that you see the muck. When the tide is high, all irregularities are hidden," says Neeta Potnis, Partner, Deloitte Haskins and Sells.
Take the case of the retail loan portfolio of an NBFC, which gave its customers liberal loans during the growth phase. There was zero scrutiny. Upon investigation by KPMG, it was found that the top management of the finance company showed an extremely low level of non-performing assets (NPAs) to shore up the share price. It's not just teeming and lading, the fraudsters even changed the bucket of loans disbursed (say, a 60-day loan was shown as a 30-day give-away). Of course, those involved were sacked but it sent tremors across the organisation from which it is finding hard to recover.
Cooking of financial books is a widely practised fraud due to loopholes in accounting methods. "Since individual judgement is used in the way transactions are recorded, there are accounting assumptions, which fraudsters tend to exploit, says Navita Srikant, Partner & National Leader Fraud Investigation & Dispute Services, Ernst & Young (E&Y).
So the E&Y team came across companies where, in some instances, fictitious inventory, production and sales were shown to work the numbers. The companies concerned had even paid all statutory dues and incurred expenses that should never have occurred because the products were not even manufactured. In another case, a company booked inventory in the first year and a private equity fund invested in the company on the basis of the revival story being projected. In the following year, the company started to default on its creditors. When the fund made inquiries, the CFO started showing inventory writeoffs. The fund went ahead and hired a forensic expert to do the investigation which revealed several other areas of concern.

Today the stakes are much higher than ever before due to a globalised world. "After Satyam, the world is looking at India very closely. Investors want to know what's the problem; is it a local problem, or an industrywide problem or a global problem. Today, people want to look behind the numbers," observes Potnis. Even the MNCs want a closer look at the doings of their Indian arms. "Owing to the recession, more foreign companies are looking at what has been happening in some of their subsidiaries in India," seconds Vineet Aneja, Partner, Head of Corporate Practice-FoxMandal Little.
Apart from the Big Four forensic experts and lawyers, detective agencies are getting to mint money too. "I've seen a 30% rise in cases over the last 12 months, mainly related to defaults and cheating," says Sachit Kumar, CEO of Globe Detective Agency. Nowadays, he's busy tracking down a hotshot client-servicing executive in an ad agency. "He defaulted on payments due to the ad agency to the tune of Rs 78 lakh," exclaims Kumar.
While promoter and top management-driven frauds take the cake, procurement-related frauds and those concerning intellectual property and employees, are more widespread, though the spoils are much smaller. "The procurement-related frauds are on the rise and irrespective of the company's size, there is a leakage of funds. The requests for vendor monitoring and due diligence have gone up in recent months and the companies are re-looking at contracts they'd entered during the boom when the vendor base was large and budgets were big," claims Vidya Rajarao, Executive Director, Financial Advisory Services, PwC.
With supplier margins being squeezed in a downturn, they tend to cut corners. For instance, a month back, a large FMCG company approached a forensic consultant to look into a packaging issue wherein the strength of the packaging material was compromised, knocking off 15-17% from the original contract. Of course, the supplier was hauled up and its services discontinued when the finding came to light.
Procurement-related frauds are increasingly coming to light in several avatars. Scrap is an interesting variant, which baffles companies on the course of action they should take with rejected goods. "There have been instances where the clearing and forwarding agent (CFA) and company officials have got together taking the old packaging stock and re-labelling or repackaging them or even selling them in bulk and pocketing the entire money. The company's reputation is at stake since this consignment was to be destroyed as the expiry date had set in," explains Sanwalka of KPMG, whose firm has cracked similar cases from FMCG, auto, pharma and industrial goods sectors.
In some cases, PwC is reviewing vendor due diligence and putting in place a 'compliance code' for vendors. In a recent assignment, the consultancy found that vendors double billed and then over-invoiced, and the company ended up paying for both. They are now quantifying the extent of overpayment. At competitor E&Y's forensic lab, three vendor kickback investigations are currently underway. In a recent case, an employee in the procurement department of a company had created a shell company and all the paperwork seemed meticulous with his thorough knowledge of the system, gained over 10 years in the organisation. How could he get caught even after covering every possible loophole? An alternate emergency phone number which he had duly filled out in his employee details belonged to a close relative. When the forensic team at EY ran a test between the employee data and vendor database, his goose was cooked. On-the-ground investigation and business intelligence confirmed the suspicion as no such business ever existed at the given address.
Intellectual property fraud is the next big area since only IP differentiates the company from its competitor. Thefts in IP are commonplace and the incidence ranges from soft data theft of banks and telcos by unscrupulous collection agents to the high-end theft of patented molecules in pharmaceutical companies. "What happens when a top scientist in a pharma company joins a competitor along with his team upon development of 80% of a molecule in that very company," asks Sanwalka. Recently, his team stumbled upon a similar case and has suggested foolproof contracts with more emphasis on non-disclosures. He firmly believes it to be an act of fraud on the scientist's part as he went a step ahead, violating the code of conduct set up by his company.
Alongside, there's a spurt in employee-related frauds. Inflated expenses and providing false educational and work experience information are most common. A leading Indian IT services firm had a situation wherein a recruitment agency was sending letters to prospective employees on company letterheads. "With rapid growth in technology, it's easy to alter documents digitally. People are using internet tools to create such documents," claims Rajarao of PwC. "Misrepresentation of facts by candidates at the time of recruitment is the ugly face of India Inc.," contends E&Y's Srikant. Recently, a candidate applied for a position in E&Y. During a routine check in the firm’s databases, it was found that he had earlier applied for another role in EY about three years ago, where the CV submitted had different work experience.
Perhaps, the zeitgeist has encouraged such economic offences to flourish. Indian and multinational companies treat fraud differently. "While MNCs will take steps to fix a problem, Indian companies think of it as a cost of doing business. So their mentality is—why should I spend my time to investigate and detect? MNCs have regulatory issues in the US, etc and they also feel strongly about ethics and culture," points out Rajarao. That's why "80% of the companies in India prefer to hush up the case" leading to a bigger problem. "Companies want to hush up the case as they don't want to deal with authorities because there is no enforcement. In large cases, the person is asked to resign. When the company does the cost-benefit analysis, often it doesn't make sense to pursue the case," adds Shrikant. A few months back, the CFO of a leading group was fired as some anomalies were found in accounts. Soon enough, he landed a job in another big firm where he committed the same fraud. When this CEO called the CEO of his earlier company, he asked why wasn't the CFO taken to task. Even the CEO of the new company set him scot-free. Caveat emptor. The fraudster is out again, raring to repeat the same act in a company…. and that could be yours.

Source: The Economic Times, Corporate Dossier, dt. 28.08.09

Thursday, August 20, 2009

India rising as cyber crime power

London:

India is fast emerging as a major hub of cyber crime, as recession is driving computer-literate criminals to electronic scams, claimed a study by researchers at the University of Brighton.
Titled ‘Crime Online: Cyber crime and Illegal Innovation’, the study states that cyber crime in India, China, Russia and Brazil is a cause of “particular concern” and that there has been a “leap in cyber crime” in India in recent years, partly fuelled by the large number of call centres.
“Russia, China and Brazil are world leaders in cyber crime, with groups and individuals in India powering up to compete. Yet companies in Europe and the US are increasingly moving IT functions and software development tasks to India, Brazil, Russia and Eastern Europe in a bid to draw on their good IT skills and lower wages”, says Professor Howard Rush who lead the study.
Although cyber criminal activity remained low in India compared with other emerging economies, the report says that “there has been a leap in cyber crime in recent years”. Reported cases of spam, hacking and fraud have multiplied 50-fold from 2004 to 2007, it claims.
“One recent report ranked India in 2008 as the fourteenth country in the world hosting phishing websites. Additionally, the booming of call centres in India has generated a niche for cyber criminal activity in harvesting data”, the report maintained.
The report also says that cyber crime is a global industry but the combination of poor economic opportunities and high skills is driving many developing regions to surface as major players in cyber crime.
The report predicts that cyber crime will continue to offer high rewards and low risks both to organized and to opportunistic criminals across the world. New players are emerging in countries like India and Brazil and as international financial networks acquire a greater global reach, such opportunities will multiply, it said.
“The scale and nature of the problem is genuinely trans national—credit card details stolen in the UK can be processed in Malaysia and used in Australia, while Indian call centres are thought to be a source for insider fraud”, the report says.
Law enforcement agencies are struggling to respond to the crisis, especially in places where legislative frameworks are weak or non-existent.

Source: Times of India, Mumbai Edition, dt 20.08.09

Swiss Banks Court New Markets, Shun Americans as Secrecy Erodes

Swiss private bankers are turning to emerging markets and shunning American clients as the government’s agreement to hand over the details of 4,450 UBS AG accounts to U.S. authorities erodes bank secrecy.

Yesterday’s settlement in a lawsuit against UBS comes five months after Switzerland said it would renegotiate tax treaties to avoid being blacklisted as anuncooperative tax haven. Swiss banks hold $2 trillion for individuals overseas, or 27 percent of the globe’s offshore wealth, according to Boston Consulting Group and the Swiss Bankers Association.

“It shows Swiss banks can be put under pressure by foreign tax authorities,” said Teodoro Cocca, professor of wealth management at Johannes Kepler University in Linz, Austria. “Bringing new money to Switzerland will be considered risky.”

Some of Switzerland’s 300 banks are already shifting their focus to Asia, Russia and the Middle East, stressing their financial expertise and Switzerland’s reputation for stability and security. Julius Baer Holding AG, Lombard Odier & Cie. and Bank Sarasin & Cie. have opened offices from Moscow to Singapore and Mumbai in the past two years.

The decline of bank secrecy has been an issue for Swiss bankers since 2002, when the European Union asked for the automatic exchange of tax information, said Alfred Mettler, an adviser to the Swiss government on banking secrecy and a professor at the Robinson College of Business at Georgia State University in Atlanta.

“Bank secrecy will change and over time there will be less and less untaxed money in Switzerland, especially from the U.S.,” Mettler said. “But privacy will remain important, even with double-taxation agreements.”

‘Scheme to Defraud’

The U.S. Internal Revenue Service plans to target other financial institutions, law firms and entities that help Americans hide assets offshore, IRS Commissioner Douglas Shulman said yesterday in an interview with Bloomberg Television.

UBS admitted in February to participating “in a scheme to defraud the U.S.” The Zurich-based bank agreed to pay $780 million and disclose the names of more than 250 clients who allegedly hid assets from the IRS. A day later, the IRS sued UBS for information on as many as 52,000 clients, triggering the negotiations that led to yesterday’s settlement.

“Swiss bank secrecy that includes tax evasion is on its last legs,” said tax attorney Josh Ungerman of Meadows, Collier, Reed, Cousins & Blau LLP in Dallas. “The IRS made clear that U.S. clients at other Swiss banks are subject to U.S. requests for information if they engaged in the same type of tax evasion as UBS clients.”

Client Exodus

The litigation has already damaged UBS, adding to an exodus of clients hurt by the global financial crisis. UBS customers withdrew 156.3 billion francs ($146.8 billion) of assets over the past five quarters, dropping the bank into second place globally as a money manager for the rich.

“This agreement helps resolve one of UBS’s most pressing issues,” ChairmanKaspar Villiger said yesterday in a statement. “I am confident that the agreement will allow the bank to continue moving forward to rebuild its reputation through solid performance and client service.”

The Swiss tradition of bank secrecy dates to the 19th century. The first laws forbidding bankers from disclosing information were enacted in 1934, a year after Adolf Hitler passed legislation threatening to imprison Germans who didn’t declare money held abroad.

“This agreement doesn’t undermine Swiss bank secrecy,” said Michael Ambuehl, Switzerland’s chief negotiator on the UBS settlement. “I don’t think that there will be pressure on other Swiss banks on the basis of the UBS agreement. The agreement has been made specifically for the UBS case.”

Swiss Laws

The settlement complies with existing Swiss laws under which tax fraud, or actively misleading authorities, is a crime and tax evasion, or failing to declare assets, is not. It also gives clients the right to appeal to a Swiss court if UBS decides to turn over their names.

The government has said the new tax treaties it is negotiating will allow it to cooperate on both fraud and evasion cases if foreign authorities provide specific evidence of a violation.

The UBS agreement shows the limits of banking secrecy, said Martin Maurer, secretary general of the Zurich-based Association of Foreign Banks in Switzerland, which represents more than 140 institutions.

“If a bank undermines a foreign law, then you can’t expect the Swiss government to cover its wrongdoings in another country,” Maurer said.

American Accounts Closed

Increased scrutiny from U.S. regulators has led some Swiss banks to close investment accounts held by Americans.

UBS told U.S. clients in a March 27 letter that it planned to terminate their existing accounts within 45 days. Customers who wanted to continue banking with UBS were asked to transfer their assets into an entity registered with the U.S. Securities and Exchange Commission, according to a copy of the seven-page letter seen by Bloomberg News.

Geneva-based Mirabaud & Cie. is closing the “few remaining” accounts held by U.S. taxpayers, a company spokesman said in June.

HSBC Holdings Plc’s Swiss private bank and Credit Suisse Group AG have also asked clients for permission to release their details to financial regulators in other countries that demand investor disclosure.

The Swiss unit of HSBC, Europe’s biggest bank, in September asked clients to surrender their right to secrecy if they wanted to hold securities in 28 markets. The bank said it “strongly recommends” that independent money managers renounce banking secrecy for clients who want to invest in the U.S., Germany, the U.K., Russia, Singapore and seven other markets.

Ringfencing Americans

“The big banks will probably ringfence American clients and concentrate on developing emerging markets, such as India and China,” said Matthew Ledvina, an international tax lawyer in Zurich. “It’s hard to beat countries like Switzerland for political risk.”

Some Swiss banks are also opening branches in new European markets to serve clients in their home countries, instead of in Switzerland.

Julius Baer opened offices in Istanbul, Moscow and Milan in the past two years. Lombard Odier, Geneva’s oldest private bank, has expanded in Prague and Singapore, and Bank Sarasin opened branches in Mumbai, Warsaw and Frankfurt.

Pictet & Cie., Switzerland’s biggest closely held private bank, is expanding its Frankfurt-based staff to attract more onshore money from German clients.

“Switzerland has to promote its political stability, the skills of its employees and its low-tax environment,” said Cedric Tille, a professor at the Graduate Institute in Geneva and a former economist at the Federal Reserve Bank of New York. “If all we have to offer is the ability to hide from the tax man, then we are in trouble because that would be building a financial model on sand.”

Source: Bloomberg, By Warren Giles & Dylan Griffiths

Wednesday, August 19, 2009

Phishing: The Basics

Here's how to be on your guard against phishing attacks


Phishing
is a method of trying to gather personal information using deceptive e-mails and websites. Pharming also aims to collect personal information from unsuspecting victims by essentially tinkering with the road maps that computers use to navigate the Web. You don't want either one working its evil genius on you, your employees or your customers. Here's how to be on your guard against both phishing and pharming. Last updated: April 2009


Q: What is phishing?

A: Phishing is a method of trying to gather personal information using deceptive e-mails and websites. Typically, a phisher sends an e-mail disguised as a legitimate business request. For example, the phisher may pass himself off as a real bank asking its customers to verify financial data. (So phishing is a form of "social engineering".) The e-mail is often forged so that it appears to come from a real e-mail address used for legitimate company business, and it usually includes a link to a website that looks exactly like the bank's website. However, the site is bogus, and when the victim types in passwords or other sensitive information, that data is captured by the phisher. The information may be used to commit various forms of fraud and identity theft, ranging from compromising a single existing bank account to setting up multiple new ones.

Early phishing attempts were crude, with telltale misspellings and poor grammar. Since then, however, phishing e-mails have become remarkably sophisticated. Phishers may pull language straight from official company correspondence and take pains to avoid typos. The fake sites may be near-replicas of the sites phishers are spoofing, containing the company's logo and other images and fake status bars that give the site the appearance of security. Phishers may register plausible-looking domains like aolaccountupdate.com, mycitibank.net or paypa1.com (using the number 1 instead of the letter L). They may even direct their victims to a well-known company's actual website and then collect their personal data through a faux pop-up window.


Can we prevent phishing attacks?

Companies can reduce the odds of being targeted, and they can reduce the damage that phishers can do (more details on how below). But they can't really prevent it. One reason phishing e-mails are so convincing is that most of them have forged "from" lines, so that the message looks like it's from the spoofed company. There's no way for an organization to keep someone from spoofing a "from" line and making it seem as if an e-mail came from the organization.

A technology known as sender authentication does hold some promise for limiting phishing attacks, though. The idea is that if e-mail gateways could verify that messages purporting to be from, say, Citibank did in fact originate from a legitimate Citibank server, messages from spoofed addresses could be automatically tagged as fraudulent and thus weeded out. (Before delivering a message, an ISP would compare the IP address of the server sending the message to a list of valid addresses for the sending domain, much the same way an ISP looks up the IP address of a domain to send a message. It would be sort of an Internet version of caller ID and call blocking.)

Although the concept is straightforward, implementation has been slow because the major Internet players have different ideas about how to tackle the problem. It may be years before different groups iron out the details and implement a standard. Even then, there's no way of guaranteeing that phishers won't find ways around the system (just as some fraudsters can fake the numbers that appear in caller IDs). That's why, in the meantime, so many organizations—and a growing marketplace of service providers—have taken matters into their own hands.


What can my company do to reduce our chances of being targeted by phishing attacks?

In part, the answer has to do with NOT doing silly or thoughtless things that can increase your vulnerability. Now that phishing has become a fact of life, companies need to be careful about how they use e-mail to communicate with customers. For example, in May 2004, Wachovia's phones started ringing off the hook after the bank sent customers an e-mail instructing them to update their online banking user names and passwords by clicking on a link. Although the e-mail was legitimate (the bank had to migrate customers to a new system following a merger), a quarter of the recipients questioned it.

As Wachovia learned, companies need to clearly think through their customer communication protocols. Best practices include giving all e-mails and webpages a consistent look and feel, greeting customers by first and last name in e-mails, and never asking for personal or account data through e-mail. If any time-sensitive personal information is sent through e-mail, it has to be encrypted. Marketers may wring their hands at the prospect of not sending customers links that would take them directly to targeted offers, but instructing customers to bookmark key pages or linking to special offers from the homepage is a lot more secure. That way, companies are training their customers not to be duped.

It also makes sense to revisit what customers are allowed to do on your website. They should not be able to open a new account, sign up for a credit card or change their address online with just a password. At a minimum, companies should acknowledge every online transaction through e-mail and one other method of the customer's choosing (such as calling the phone number on record) so that customers are aware of all online activity on their accounts. And to make it more difficult for phishers to copy online data-capture forms, organizations should avoid putting them on the website for all to see. Instead, organizations should require secured log-in to access e-commerce forms.

At the end of the day, though, better authentication is the best way to decrease the likelihood that phishers will target your organization. Banks are beginning to experiment with technologies like RSA tokens, biometrics, one-time-use passwords and smart cards, all of which make their customers' personal information less valuable for phishers.

One mid sized bank was able to cut its phishing-related ATM card losses by changing its authentication process. Every ATM card has data encoded on its magnetic strip that the customer can't see but that most ATM machines can read. The bank worked with its network provider to use that hidden information to authenticate ATM transactions—an important step that, according to Gartner, only about half of U.S. banks had taken by mid-2005. "Since the number isn't printed on the back of the card, customers can't accidentally disclose it," the bank's CISO explained. The information was already in the cards, so the bank didn't have to go through an expensive process of reissuing cards. "It was a very economical solution, and it's been very effective," said the CISO.

What plans should my company have in place before a phishing incident occurs?

Before your organization becomes a target, establish a cross-functional anti-phishing team and develop a response plan so that you're ready to deal with any attack. Ideally, the team should include representatives from IT, internal audit, communications, PR, marketing, the Web group, customer service and legal services.

This team will have to answer some hard questions, such as:

* Where should the public send suspicious e-mails involving your brand? Set up a dedicated e-mail account, such as fraud@domainname.com, and monitor it closely.

* What should call center staff do if they hear a report of a phishing attack? Make sure that employees are trained to recognize the signs of a phishing attack and know what to tell and ask a customer who may have fallen for a scam.

* How and when will your organization notify customers that an attack has occurred? You might opt to post news of new phishing e-mails targeting your company on your website, reiterating that they are not from you and that you didn't and won't ask for such information.

* Who will take down a phishing site? Larger companies often keep this activity in-house; smaller companies may want to outsource.

  • If you keep the shut-down service in-house, a good response plan should outline whom to contact at the various ISPs to get a phisher site shut down as quickly as possible. Also, identifying law enforcement contacts at the FBI and the Secret Service ahead of time will improve your chances of bringing the perpetrator to justice.
  • If a vendor is used, decide what the vendor can do on your behalf. You may want to authorize representatives to send e-mails and make phone calls, but have your legal department handle any correspondence involving legal action.

* When will the company take action against a phishing site, such as feeding it inaccurate information or exploiting vulnerabilities in its coding? Talk out the many pros and cons beforehand.

* How far will you go to protect customers? Decide how much information about identity theft you'll give to customers who fall for a scam, and how this information will be delivered. You should also talk through scenarios in which you will monitor or close and re-open affected accounts.

* Are you inadvertently training your customers to fall for phishing scams? Educate the sales and marketing teams about characteristics of phishing e-mails. Then, make sure legitimate e-mails don't set off any alarms.


How can we quickly find out if a phishing attack has been launched using our company's name?

Sometimes a new phish announces itself violently, as an organization's e-mail servers get pummeled with phishing e-mails that are bouncing back to their apparent originator. There are other ways to learn about an attack, though—either before or after it occurs.

a) Monitor for fraudulent domain name registrations.
Phishers often set up the fake sites several days before sending out phishing e-mails. One way to stop them from swindling your customers is to find and shut down these phishing sites before phishers launch their e-mail campaigns. You can outsource the search to a fraud alert service. These services use technologies that scour the Web looking for unauthorized uses of your logo or newly registered domains that contain your company's name, either of which might be an indication of an impending phishing attack. This will give your company time to counteract the strike (more on that later).

b) Set up a central inbox.
The easiest and most effective way to find out if your organization is being targeted by phishers is simply by giving the general public a way to report phishing attacks. "It's your customers and noncustomers who are going to be the ones that tell you that the phish is out there," said one security manager interviewed for a case study published in
CSO. To do this, organizations typically set up one e-mail address where all suspected phishing e-mails are directed, with an address such as fraud@domainname.com or phish@domainname.com. Ideally, this central inbox should be monitored 24/7.

c) Watch your Web traffic.
After gathering victims' information, many phishing sites then redirect the victim to a log-in page on the real website the phisher is spoofing. SANS's
Internet Storm Center recommends that by examining Web traffic logs and looking for spikes in referrals from specific, heretofore unknown IP addresses, CSOs may be able to zero in on sites used for large-scale phishing attacks.

d) Hire a firm to help.
The same companies that scan the Internet for unauthorized uses of your logo can also monitor for active phishing sites. For example, Toronto-based
Brandimensions hosts a vast, interconnected network of domain names and e-mail addresses intended solely to attract phishing e-mails and other spam. They're called honeypots. Entire websites are built to publish e-mail addresses, point to one another, and thereby attract the attention of automated Web crawlers that compile spam lists. The company then uses "relevancy detection software" to flag the e-mails that could be most damaging to its customers.


How can we help our customers avoid falling for phishing?

People who know about phishing stand a better chance of resisting the bait. "The best defense is that a consumer has heard of phishing and is unlikely to respond," says Patricia Poss, an attorney with the Bureau of Consumer Protection at the Federal Trade Commission. Must be trained to think twice about replying to any e-mail or pop-up that requests personal information.

Teach employees how to recognize spoofed e-mail. Similarly, warn your customers about the dangers of phishing, and let them know you'll never ask for their account number, password, Social Security number or any other personal information via e-mail. Train them to avoid clicking on e-mail links to reach you and instead to type your company's URL directly into a new browser window.

The oft-targeted PayPal, for instance, has a Security Center on its website that includes an e-commerce safety guide, fraud protection tips for buyers and sellers, a link to let users report spoof e-mails and a prominent reminder to log in to PayPal by opening a new browser window and typing in the URL. Some companies also do physical mailings to customers.

However, there's only so much that customer education can do. The onus is also on the organization to limit the damage by shutting down the phishing site.

If an attack does happen, how should we respond?

Once a phishing attack occurs, the goal for the organization is to get the phishing site shut down as quickly as possible. This limits the window of opportunity in which the phisher can collect personal information. With any phishing attack, organizations should take three steps (or hire a firm to take these steps for them).

Step 1) Gather basic information about the attack. This should include screen shots of the website plus the URL.

Step 2) Contact the ISP (or whoever is hosting the website). Explain the situation and ask that the site be shut down. Many phishing sites are launched on hacked computers, so in a best-case scenario, taking down the site is simply a matter of contacting a website's owners, pointing them to the URL of the webpage, and asking them to remove the offending content (and patch their Web servers). "You say, Hey, did you know there's a URL on your website that's a phishing attack?" says Hugh Hyndman, CTO of Brandimensions. "They look at it and go, Oh my God, and they remove that website."

How well an ISP is likely to respond depends on both the ISP and an organization's relationship with it. "If you have good relationship with the ISP, you can get the site down in a matter of hours," says Dave Jevans, chairman of the Anti-Phishing Working Group. "Sometimes." Other times you won't be so lucky. Seventy percent of phishing sites are hosted outside of the United States, so you may need a translator. You also may need to do some delicate negotiations to convince the ISP to throw the switch on a paying customer. If the representative hems and haws and says that policing the Internet is not his job, Jevans says, "rattle a few sabers" and threaten to call law enforcement.

In the most difficult scenario, a phishing site is domain-based. Hyndman has seen phishing websites set up to automatically change their IP addresses as often as every three minutes, hopping from one hacked computer to another in a complex game of cat and mouse played out across the globe.

Step 3) Contact law enforcement. Although this is an important step, be warned that it isn't necessarily the most effective way to get the site shut down quickly. The FBI and Secret Service are more concerned with patterns and big busts than individual ones, and until a customer has fallen for a scam and suffered damages, there may have been no law broken. Nevertheless, agents may be able to intervene on your behalf—and who knows, your case may be part of the bigger picture investigation needed to shut down a given fraudster. (This has happened. In May 2005, a 20-year-old Texas man was sentenced to almost four years in prison for phishing.)

By establishing a relationship with law enforcement, you'll come to understand when agents want information about what kinds of attacks. For instance, the bank in the aforementioned CSOcase study gets a compact disc from its vendor with information about each phish, and a copy of that CD is then passed on to the FBI, which looks for patterns or anomalies in the attacks.

Does all this sound like too much for your company? Then pay someone else to do it for you. The marketplace is brimming right now with companies that will do the dirty work. Brandimensions, Cyota, MarkMonitor and others offer anti-phishing services.

Responders at a good service provider will have expertise in working their way up the network stream seeking someone who can and will shut down the site. They try to work with the ISP or Web hosting company, and then if necessary contact the domain name registrar that's directing the URL to a given IP address. They'll send e-mails and faxes; they'll make phone calls. If necessary, they'll send notices threatening legal action. Often, when the site is hosted outside the United States, they'll seek help from local groups of first responders organized byCERT/CC at Carnegie Mellon. The end result? The phishing website might be up for hours instead of days.


Any legal/regulatory requirements we should be aware of?

Regulatory requirements depend on your organization and industry, but the financial services industry in general is being pushed to action. Two examples:

* The Treasury Department's Office of the Comptroller of the Currency issued a bulletin in July 2005 that outlined the steps banks should take to mitigate the risks of phishing. Among other things, national banks were told they must file suspicious activity reports, or SARs, if they are the target of a spoofing incident.

* In December 2004, the Federal Deposit Insurance Corp. issued guidelines for how financial institutions can mitigate phishing risks. The document warns that "the financial service industry's current reliance on passwords for remote access to banking applications offers an insufficient level of security" and describes better options, such as two-factor authentication. (View the table of contents for "Putting an End to Account-Hijacking Identity Theft.")


What action can we take against the phishers themselves?

Takedown, which essentially just relocates the problem, may be the only aggressive form of defense that the targeted company has. Prosecutions of phishers have been rare, due to the difficulty of tracing how personal information has been captured, sold and exploited.

However, when a site proves to be particularly vexing to shut down, the vendor may offer to try a controversial practice sometimes known as dilution. This involves feeding fake information into a phishing site—the goal being to "dilute" the real information, making the phisher's haul less valuable.

Dilution is tricky for many reasons. Opinions differ on how best to generate the fake information. Also, patterns (where the traffic is coming from or how often) can tip off phishers that the information is bogus, possibly prompting them to retaliate against the targeted company. There are also legal concerns. High-volume dilution can amount to denial of service—an attack in which so much bogus traffic floods a website that it collapses. Jevans, of the Anti-Phishing Working Group, laughs when asked about dilution. "That's the polite term," he says. "Denial of service"—the impolite term—"is illegal. Which is why you find not everybody is using dilution."

Vendors may counter that dilution is significantly different from a denial-of-service attack because the Web traffic is supposed to at a reasonable enough rate to look like actual users. Still, most companies are leery of the practice. The bank profiled in CSO, for example, decided that dilution was worth the risk only if the situation became critical, with a large number of people responding to the phish and causing the bank "significant" losses.

How might phishing attacks evolve in the near future?

As phishing e-mails and websites have grown more sophisticated, phishers also have changed the kinds of companies they are spoofing. Early phishing e-mails usually targeted large banks, credit card companies, online payment services, ISPs and large online retailers. As those large companies put defense mechanisms in place to limit the damages, phishers have moved on to smaller companies that may be less prepared to defend themselves.

At the same time, phishers have also grown more sophisticated in their use of e-mail address lists. A phishing e-mail targeting a regional credit union, for example, may be sent only to customers who use ISPs located in that same area. The latest and perhaps ultimate personalization? A technique known as "spear phishing," in which e-mails are customized for particular users. One scam targeted just executives at certain kinds of companies. Security analyst Steve Hunt reports another spear-phishing scam in which he received a text message from a "bank" directing him to call a telephone number; the number yielded a recorded voice asking for his debit card number and PIN.

Meanwhile, as customers become more savvy about the risks of divulging personal information, fraudsters are looking for ways to gather information without the victims' knowledge. This is often done with a method known as pharming. Like phishing, pharming aims to collect personal information from unsuspecting victims. The difference is that pharming doesn't rely on e-mail solicitation to ensnare its victims. Instead, this attack method essentially tinkers with the road maps that computers use to navigate the Web, such that large numbers of users can wind up giving personal data to a bogus site even if they've typed in a legitimate URL.

Pharming combines a mix of mainstream threats such as viruses and spyware, plus more esoteric stuff such as domain spoofing and DNS poisoning. In one scenario, a user receives some kind of malware (virus, worm, Trojan horse or spyware) that rewrites local host files, which convert URLs into the number strings that computers use to find and access websites. Then, for example, when the user types a legitimate bank's URL into the browser window, the computer is misdirected to a bogus but authentic-looking website of the same sort that might be used in a phishing attack. In another scenario, a hacker poisons a more public DNS directory cache (at an ISP, for instance), again leading unsuspecting Internet users to phony sites.

In either case, potentially large numbers of users are drawn to the fraudulent sites or proxy servers (a computer that sits between the user and the real server and captures information as it passes through), where criminals can track activity and gather credit card data and personal identification numbers.

Pharming is technically harder to accomplish than phishing. To execute a phishing attack, a hacker needs to be able to create a plausible URL, a decent webpage and an e-mail message. This is not hard. Pharming, on the other hand, requires knowledge of how to manipulate DNS caches or gain access to someone's computer files or servers to change settings. But it can also be more damaging, because even savvy computer users may have no idea that their information has been compromised.


How can we guard against pharming attacks?

Just as pharming is more technically difficult to pull off than phishing, it's more technically complicated to protect against. Here are some basics.

a) Deploy technologies such as intrusion prevention and antivirus software, desktop firewalls with filters to look for spyware, and logging software to look for particular events such as spikes in DNS traffic or spikes in e-mail traffic from a single user.

b) Make incident response teams aware of the threat, and teach employees and customers how to avoid pharming incidents. Also ramp up education efforts aimed at business partners, especially for smaller companies that might need help to deal with the pharming threat.

c) Place controls on DNS servers, such as host-based intrusion detection systems, to prevent visitors or customers to websites from inadvertently participating in a pharming attack. There are also some vendors that focus on DNS security, such as UltraDNS.

d) Be prepared to have Internet service providers quickly shut down malicious sites that are set up for pharming. Consider moving ahead with plans for stronger authentication technologies that control access to systems that could be targets of pharmers.

e) Follow developments such as the progress of the DNSSEC standards, and ensure that your company's ISPs have the proper controls on their DNS directories and servers.

Source : CSO Magazine, By Alice Dragoon, Sarah D Scalet and Bob Violino