London, UK - 18 November 2004, 14:15 GMT - One of the UK's largest banks has been forced to suspend some of its online banking services after tens of thousands of customers were targeted by an email phishing scam. The Financial Services Authority (FSA), the UK financial services regulator, had warned last week that banks would have to step up preventive measures against phishing. There are about 14 million online banking customers in the UK and growing.

Over the weekend, there have been reports that several British banks will stop compensating their customers for online financial fraud if they are found to be negligent or reckless. For example, those users who are considered to have ignored safety advice before losing money in online banking scams would be denied compensation by banks.

NatWest - part of the The Royal Bank of Scotland and one of 'the big four' - has as of yesterday stopped roughly one million online customers from setting up new direct debits or standing orders in response to escalating and increasingly sophisticated techniques deployed by fraudsters to steal personal banking details by email.

Customers at NatWest had reported that they had been sent bogus emails asking them to divulge their personal details. The bank was left with no choice other than to respond by shutting down certain key services. With new third-party payments and standing orders currently on hold, any fraudster who had managed to pick up a customer's personal details would not be able to move any money. Customers have been advised to use other methods to set up such payments, such as telephone banking, in the meantime. Banks have noticed a sharp increase in the number of phishing emails sent by criminal syndicates over the past year. In the scams, fraudsters invariably demand that recipients of emails provide personal details, which amounts to identity theft.

Ever since savvy online banking users have started to understand the modus operandi of phishing scams, the criminal syndicates are sending out new types of Trojans. Once the malware infects a Windows PC, it silently lies in the background, waiting for the user to go to an online banking web site. Once the Trojan detects that the browser is on a banking site, it comes alive and begins capturing key strokes and appropriate screen images. The information is then sent back to the criminal syndicate, which uses it to break into the account.

There is a new phishing Trojan being distributed via email that hijacks users' banking information, allowing hackers to empty their accounts. So far this new type of Trojan has swept Brazil, where some arrests have been made, and then the UK. The online customers of Barclays, HSBC, LloydsTSB and NatWest have so far been targeted. The mi2g Intelligence Unit anticipates that it will target Australian, US and Canadian bank users shortly, judging by the phishing scams' geographic proliferation in 2003. The Trojan, once installed, can sniff the user's name, password, and PIN number. The controllers of the Trojan can then potentially do as they please with the bank account.

Simple rules to avoid falling for those scams include never responding to e-mails asking for the user's security details and not to access the online banking website via a link made available through an e-mail.

Phishing scams recorded in 2004 against major banks and brand names have hit an all time high of 137 major campaigns as opposed to 54 such high level incidents, the mi2g Intelligence Unit chronicled for the whole of 2003. The total economic damage from phishing scams worldwide is now estimated to lie between $42bn and $49bn for 2004. Digital risk damages are calculated by the mi2g Intelligence Unit on the basis of helpdesk support costs, overtime payments, contingency outsourcing, loss of business, bandwidth clogging, productivity erosion, management time reallocation, cost of recovery and software upgrades. When available, Intellectual Property Rights (IPR) violations as well as customer and supplier liability costs have also been included in the estimates.

"There is a very clear path to solve the phishing problem and it must be followed swiftly before it is too late. All online customers should be authenticated in three layers through something that they know, something that they carry and something that they are. This is not happening at present." said DK Matai, Executive Chairman, mi2g. "Unless passwords and personal knowledge is coupled with smart card validation and biometric authentication, these scams will continue to proliferate. This problem is not just about money. It is first and foremost about identity theft and the sense of total vulnerability it leaves victim customers with."

[ENDS]

mi2g is at the leading edge of building secure on-line banking, broking and trading architectures. The principal applications of our technology are:

1. D2-Banking;
2. Digital Risk Management; and
3. Bespoke Security Architecture.

mi2g pioneers enterprise-wide security practices and technology to save time and cut cost. We enhance comparative advantage within financial services and government agencies. Our real time intelligence is deployed worldwide for contingency capability, executive decision making and strategic threat assessment.

mi2g Research Methodology: The Frequently Asked Questions (FAQ) List is available from here in pdf. Please note terms and conditions of use listed on www.mi2g.net

Full details of the October 2004 report are available as of 1st November 2004 and can be ordered from here. (To view contents sample please click here).