Consumer confidence in conducting business and protecting personal data online is threatened every day by phishing scams. In an initiative led by the National Consumers League (NCL), law enforcement, financial services and technical industries have joined forces to combat this threat. The group today issued a "call to action" with the release of a paper outlining key recommendations that form a comprehensive plan for combating phishing more effectively.
Phishing is a large and growing problem, in which identity thieves pose as legitimate companies, government agencies, or other trusted entities in order to trick consumers into providing their bank account numbers, Social Security numbers, and other personal information. In 2005, phishing scams ranked 6th in Internet complaints to NCL's Internet Fraud Watch program and the scams continue to dupe consumers. A May 2005 consumer survey by First Data found that 43 percent of respondents had received a phishing contact, and of those, 5 percent (approximately 4.5 million people) provided the requested personal information. Nearly half of the phishing victims, 45 percent, reported that their information was used to make an unauthorized transaction, open an account, or commit another type of identity theft.
NCL's new report, the result of a comprehensive three-day brainstorming retreat organized by the Washington-based consumer advocacy organization last September, makes multiple recommendations on how to combat it.
"There is no silver bullet to solve the phishing problem, but there are known responses that need more support and promising new approaches that could help deter it," said Susan Grant, director of NCL's National Fraud Information Center. The key recommendations in the report are:
* Create systems that are "secure by design" to make consumers safer online without having to be computer experts;
* Implement better ways to authenticate email users and Web sites to make it easier to tell the difference between legitimate individuals and organizations and phishers posing as them;
* Provide better tools for investigation and enforcement to prevent phishers from taking advantage of technology, physical location, and information-sharing barriers to avoid detection and prosecution;
* Learn from the "lifecycle of the phisher" and use that knowledge about how these criminals operate to exploit points of vulnerability and stop them;
* Explore the use of "white lists" to identify Web sites that are spoofing legitimate organizations and use "black lists" to create a phishing recall system that would prevent phishing messages from reaching consumers;
* Provide greater support for consumer education, using clear, consistent messages and innovative methods to convey them.
Sponsorship for the initiative was provided by the American Express Company, First Data Corporation, and Microsoft Corporation. The recommendations were developed by retreat participants representing financial services firms, Internet service providers, online retailers, computer security firms, software companies, consumer protection agencies, law enforcement agencies, consumer and ID theft victims organizations, academia, and coalitions such as the Anti-Phishing Working Group and the National Cyber Security Alliance. Peter Swire, C. William O'Neill Professor of Law at the Moritz College of Law of the Ohio State University, wrote the report for NCL.
In the next phase of this project, NCL is forming working groups and inviting organizations and experts who are concerned about phishing to examine how the anti-phishing strategies in the report can be adopted on a widespread basis. "We all need to work together in a systematic approach if we want to have a significant impact on the tidal wave of phishing that is hitting consumers and hurting legitimate organizations," said Grant.