Boston-based Eastern Bank is among the financial institutions in Massachusetts that have had to address the problem of phishing and other Internet scams.
Sovereign Bank has been the latest target of an ongoing Internet scam known as “phishing” and, despite every effort by Bay State banks to secure their Web sites, there are a few ways criminals have reached bank customers.
Phishing, as defined by a Massachusetts Bankers Association consumer alert, is an act of sending pretext e-mails to unsuspecting recipients who may think the message is from their own bank or credit card company referencing problems with an account that require a fast response.
“The e-mails are random, but sending thousands increases the likelihood that the scammers will reach some consumers who, indeed, do business with that particular bank,” read the MBA’s consumer alert.
Typically, the e-mail or its links will use the bank’s logo and other graphics to give the impression that the bank has sent the e-mail. The message usually will ask the recipient to “verify” Social Security and account numbers or passwords.
“The vast majority of online financial transactions happen without a hitch and are quite safe,” said Daniel J. Forte, MBA president. “However, fraud can occur and consumers need to know how to protect themselves to the best of their abilities.”
Last week, Philadelphia-based Sovereign Bank – which has branches in more than a half-dozen states, including Massachusetts – was the latest phishing target. According to the Web site operated by the Anti-Phishing Working Group, a California-based industry association focused on eliminating identity theft and fraud, fraudsters sent out an e-mail with the subject line “Sovereign Bank Unauthorized Account Access.”
The e-mail message read, “We recently reviewed your account, and suspect that your Sovereign Internet Banking account may have been accessed by an unauthorized third party … as a preventative measure, we have temporarily limited access to sensitive account features … check your account profile … to get started, please click the link below.”
The Anti-Phishing Web site said the goal of the e-mail scam is to obtain the victim’s name, credit card information.
‘Very Sophisticated’
Another type of scam that the MBA is warning consumers about is spoofing. When a consumer misspells a bank’s Web site, he or she can be directed to another site that may look just like the bank’s real Web site. The password and account information that a consumer provides could then be stolen.
Boston-based Eastern Bank had an experience similar to spoofing occur recently. Marc DeCastro, vice president of e-solutions at Eastern, said someone in Australia registered a similar domain as easternbank.com. While they were not pretending to be the bank, the site was linking visitors to other financial Web pages.
“They were taking advantage of our name,” DeCastro said.
After requests from Eastern Bank to change the address, the Australian site obliged.
Many banks in Massachusetts, such as Eastern Bank and Citizens Bank, have posted e-mail fraud notices on their home pages, but DeCastro said most consumers are savvy.
“A lot of people are a lot more cautious,” said DeCastro.
Douglas Emond, chief technology officer at Eastern, said the bank was “quick” to respond to Internet fraud when phishing was first identified about 18 months ago. He added that it is important to understand how the Internet works in order to prevent harm.
“In today’s world and tomorrow’s world, you really have to understand the rules of the road with the Internet,” Emond said.
When Internet fraud initially was identified, Emond said the bank issued a statement and posted a notice on the Web site. He said fraudsters, when sending out thousands of e-mails, are betting on the “law of probability.”
DeCastro and Emond said more time is spent these days looking for brands on the Internet and securing domain names. Because Web sites can have addresses with extensions other than dot-com, such as “net” or “org,” the bank has to be sure to secure all of them to prevent spoofing.
Maine-based Banknorth Group, which operates branches in Massachusetts, also has tried to educate customers before fraudsters reach them. According to John Petrey, executive vice president and chief information officer at Banknorth, the institution has posted information on its Web site and links to the Federal Reserve and Office of the Comptroller of the Currency. Branch locations are also stocked with informative brochures on financial Internet scams.
Petrey said Banknorth has been a targeted bank in a few phishing incidences, but said it is not an attack on Banknorth specifically. Fraudsters are simply looking for a bank with a lot of customers.
“Phishing expeditions” can be foiled, Petrey said, when non-Banknorth customers call to inform the bank of fraudulent e-mails. Once a phishing e-mail is sent, the bank tries to shut down the scammer’s Web site and has been successful at times, Petrey said. After locating the Web site, Banknorth notifies the Web hosting company and issues a demand to shut down the site.
According to the Anti-Phishing Working Group, the latest phishing attack on Sovereign Bank was hosted on the same Internet protocol (IP) address as another attack on Washington Mutual Bank.
Petrey said despite efforts to shut down Web sites, it can be difficult when fraudsters continuously move from site to site.
“They’re getting very sophisticated,” Petrey said.
According to Melodie Jackson, spokeswoman for Citizens Bank, the institution also has been a target in the past when phishers issued an e-mail mimicking Citizens’ logo. Both Citizens and Banknorth said few customers have fallen into the trap. But for the few that have, the banks have taken care of the account immediately. Petrey said Banknorth generally will change the customer’s account information.
DeCastro and Petrey both pointed out that banks are not the only phishing targets. Companies like eBay, Earthlink and Verizon also have been attacked by Internet fraudsters.
Phishing scams generally have received more press, but the MBA also is reminding consumers to look out for other Internet fraud, such as “African e-mails” and credit and job applications.
The messages that are circulating on the Internet generally ask a consumer to move a large sum of money out of another country, usually Africa. The sender typically poses as a banker, chief auditor, director of finance or another bank representative and asks for a bank account number to wire-in funds. The reality of it is, according to the MBA, money will be wired out of an account.
In other scams, credit card and job applications posted online may request Social Security numbers or bank account information as part of the application process.
