Phishing, as we have previously reported in Transaction World, is one of the latest fraud scams affecting merchants and consumers who deal with financial services companies, is growing several hundred percent per quarter, according to the Anti-Phishing Work Group (
   "Phishing" or fraudulent e-mail messages are those messages that appear to be sent from a legitimate financial institution or other entity, but in fact are not, convincing accountholders to reveal and submit valuable private and account information, which is consequently either sold or used to commit fraud and different types of identity theft crimes.
   One of the latest versions of this scam replaces the "address" bar at the top of a Web browser with a working fake, using JavaScript. This technique allows the phisher to display a completely fraudulent Web address URL, while taking the consumer to the phisher's spoofed site, according to the work group.
   This sophisticated new attack type does not make use of the MS Internet Explorer bug published last November, but extends the same visual effect to multiple browser platforms, the work group said. It does so by automatically detecting the consumer's browser, and applying a custom JavaScript that replaces the look and feel of the Web address bar with an appropriately designed working fake.
   Financial institutions, including those that process merchant transactions are one of the favorite targets of phishers. E-mail fraud targeting financial institutions is growing at a staggering rate, many of the largest financial institutions in the U.S. and Europe have been attacked by phishing in recent months, most experiencing multiple attacks.
   The damages caused by financial e-mail fraud, such as harming valuable corporate brands, ruining accountholder trust, causing direct financial loss and increasing operational costs, reach various cross-bank areas ranging from the risk and fraud department, legal team and marketing group, according to Cyota, New York, a company that specializes in online payment security.
   "This is becoming a very visible type of crime," says Amir Orad, Vice President of Marketing for Cyota. "Phishers send out thousands to millions of e-mails. It's very easy to do."
   This is of particular concern to merchants who are increasingly relying on online sales, Orad says. A consumer who's suffered from a phishing attack will be reluctant to go back online, which could hurt burgeoning online sales.
   The merchant also has to be careful that he is not the subject of a phishing attack. While the phishers tend to go after large, well-known financial services firms and retail merchants, others that accept payment cards on line are also at risk.
   Orad recommends that merchants alert customers not to respond directly to e-mail offers asking for card numbers, but instead to go to a company's Web site by typing in the URL to protect against this type of fraud.
   Phishing attacks are becoming harder to trace, and, therefore, shut down. Up until recently, each phishing attack has been hosted and launched from one location. Typically it takes banks several hours up to several days to become aware of an attack that has been launched. Once the financial institution is aware of the attack it contacts the law enforcement agencies, and together, they track down and locate the source of the attack and shut down the spoofed website as soon as possible.
   Recently, fraudsters have begun setting up multiple identical spoofed websites simultaneously hosted at different locations. This trend comes on the heels of another recent trend where fraudsters have migrated from hosting the spoofed sites in western countries like the U.S. and U.K. to remote locations such as Taiwan and Eastern Europe. Now financial institutions need to be ready and equipped to deal with the task of locating and shutting down multiple sites that are hosted in a number of locations. Doing so for several sites simultaneously requires preparation and training at the banks, and other institutions, in order to respond in a fast, effective manner.
   Additionally, in the past, spoofed sites were usually located at a constant address, at a commercial ISP or part of a free web-hosting site, which pose as clear targets for shutting down the sites.� Now, with computer hijacking, which is becoming more frequent, the multiple sites can be located either on home users' computers or commercial websites, without the users' knowledge.