One of 'the big four' British banks halts internet
Sophisticated phishing scams erode confidence and automatic compensation
London, UK - 18 November 2004, 14:15 GMT - One of the UK's largest
banks has been forced to suspend some of its online banking services after
tens of thousands of customers were targeted by an email phishing scam. The
Financial Services Authority (FSA), the UK financial services regulator, had
warned last week that banks would have to step up preventive measures against
phishing. There are about 14 million online banking customers in the UK and
Over the weekend, there have been reports that several British banks will
stop compensating their customers for online financial fraud if they are found
to be negligent or reckless. For example, those users who are considered to
have ignored safety advice before losing money in online banking scams would
be denied compensation by banks.
NatWest - part of the The Royal Bank of Scotland and one of 'the big four'
- has as of yesterday stopped roughly one million online customers from setting
up new direct debits or standing orders in response to escalating and increasingly
sophisticated techniques deployed by fraudsters to steal personal banking
details by email.
Customers at NatWest had reported that they had been sent bogus emails asking
them to divulge their personal details. The bank was left with no choice other
than to respond by shutting down certain key services. With new third-party
payments and standing orders currently on hold, any fraudster who had managed
to pick up a customer's personal details would not be able to move any money.
Customers have been advised to use other methods to set up such payments,
such as telephone banking, in the meantime. Banks have noticed a sharp increase
in the number of phishing emails sent by criminal syndicates over the past
year. In the scams, fraudsters invariably demand that recipients of emails
provide personal details, which amounts to identity theft.
Ever since savvy online banking users have started to understand the modus
operandi of phishing scams, the criminal syndicates are sending out new types
of Trojans. Once the malware infects a Windows PC, it silently lies in the
background, waiting for the user to go to an online banking web site. Once
the Trojan detects that the browser is on a banking site, it comes alive and
begins capturing key strokes and appropriate screen images. The information
is then sent back to the criminal syndicate, which uses it to break into the
There is a new phishing Trojan being distributed via email that hijacks users'
banking information, allowing hackers to empty their accounts. So far this
new type of Trojan has swept Brazil, where some arrests have been made, and
then the UK. The online customers of Barclays, HSBC, LloydsTSB and NatWest
have so far been targeted. The mi2g Intelligence Unit anticipates that it
will target Australian, US and Canadian bank users shortly, judging by the
phishing scams' geographic proliferation in 2003. The Trojan, once installed,
can sniff the user's name, password, and PIN number. The controllers of the
Trojan can then potentially do as they please with the bank account.
Simple rules to avoid falling for those scams include never responding to
e-mails asking for the user's security details and not to access the online
banking website via a link made available through an e-mail.
Phishing scams recorded in 2004 against major banks and brand names have hit
an all time high of 137 major campaigns as opposed to 54 such high level incidents,
the mi2g Intelligence Unit chronicled for the whole of 2003. The total economic
damage from phishing scams worldwide is now estimated to lie between $42bn
and $49bn for 2004. Digital risk damages are calculated by the mi2g Intelligence
Unit on the basis of helpdesk support costs, overtime payments, contingency
outsourcing, loss of business, bandwidth clogging, productivity erosion, management
time reallocation, cost of recovery and software upgrades. When available,
Intellectual Property Rights (IPR) violations as well as customer and supplier
liability costs have also been included in the estimates.
"There is a very clear path to solve the
phishing problem and it must be followed swiftly before it is too late. All
online customers should be authenticated in three layers through something
that they know, something that they carry and something that they are. This
is not happening at present." said DK
Matai, Executive Chairman, mi2g. "Unless
passwords and personal knowledge is coupled with smart card validation and
biometric authentication, these scams will continue to proliferate. This problem
is not just about money. It is first and foremost about identity theft and
the sense of total vulnerability it leaves victim customers with."
mi2g is at the leading edge of building secure on-line banking, broking
and trading architectures. The principal applications of our technology are:
2. Digital Risk Management; and
3. Bespoke Security Architecture.
mi2g pioneers enterprise-wide security practices and technology to
save time and cut cost. We enhance comparative advantage within financial
services and government agencies. Our real time intelligence is deployed worldwide
for contingency capability, executive decision making and strategic threat
mi2g Research Methodology: The Frequently Asked Questions (FAQ) List
is available from here in pdf. Please
note terms and conditions of use listed on
Full details of the October 2004 report are available as of 1st November
2004 and can be ordered from here.
(To view contents sample please click here).