Bank phishing fraudsters learn to spell

Phishers aiming to defraud banks have raised their game - and at the very least have learned to spell - according to the banking executives tasked with stopping them.

According to David Shroyer, Bank of America senior vice president of online security and enrolment, the attacks fraudsters are targeting at financial services organisations are continuing to develop. For example, fraudsters are now building phishing sites with malware embedded in them which means the unwary risk not only losing their bank details but also getting malware on their PCs if they are tricked into visiting such sites.

"People are still clicking on the links to see if they are real and those who aren't adequately protected are getting infected," he told a session at the RSA Conference in San Francisco.

"We've educated our customers as an industry but the fraudsters aren't standing still," he added.

The fraudsters have fixed some of their basic problems too.

"The bad guys have invested in a spell checker," he joked, a reference to the poorly spelt and designed phishing emails and websites which characterised phishing attempts a few years ago.

But as the fraudsters increase the sophistication of their attacks, educating customers becomes more difficult. "Now we are talking about a much harder topic, about customer protection on the PC and safe browsing habits and that's a hard message to convey," said Shroyer.

One response from the banks is that, upon finding a phishing site, instead of shutting it down they replace it with a warning explaining phishing. As a result, any customers that do click on the link in a phishing email are alerted to the scam, rather than simply finding a broken link.

"We have an opportunity to educate customers, at that point we can say 'you got phished and this is how to prevent it in the future'," Shroyer said.

According to Stan Szwalbenest, remote channel risk director consumer risk management at JP Morgan Chase, there is an easy way to avoid most of the problems: "We have a simple message: have all the patches in place and antivirus up to date."

"Fraud is a loss to the bank but the impact on the customer is much greater and protecting the customer protects our brand," he added.

According to a report by analyst house Gartner, the average cost of a phishing attack to the US financial services industry was $351 last year - a drop of 60 per cent on the year before.