Barclays' spoof fight continues

Education and technology needed to beat website spoofers

Education and technology needed to beat website spoofers

Barclays Bank is still fighting the e-mail spoofers that began targeting its customers more than two weeks ago.

Customers have continued to receive messages purporting to be from the bank. The e-mails included a link to what appeared to be the company's website, where they were asked to "confirm" their personal details.

The National Hi-Tech Crime Unit warned that internet-based identity theft is now a favourite tactic of organised criminals. Other companies that have been targeted in this way include, eBay and Citibank.

"There has been a significant increase in website spoofing," said Len Hynds, head of the National Hi-Tech Crime Unit. "Spoofing involves duplicating a genuine website and giving it a similar internet address, so that users are unwittingly redirected. The spoof site dupes the customer into supplying card and account details."

A Barclays spokeswoman said, "E-mails are still being sent, but we are keeping our eyes peeled and closing down the sites as and when they are appearing. We can contact the customer affected straight away - we know what the spoofers are doing."

The bank assigned employees from IT, fraud, compliance and customer service departments to help fight the spoofers.

Paul Wood, chief information security analyst at MessageLabs, which is working with Barclays to resolve the fraud, said, "Identity theft is a problem for companies with transactional websites, but it will become more difficult to stop as the e-mails get more realistic."

Implementing layers of anti-virus software and firewalls can mitigate the attacks, but technical measures to deal with identity theft are harder to implement, Wood said.

Priority should be given to educating users so they understand that a legitimate business would never ask its customers to reveal financial information via an e-mailed link.

"The time is ripe to make users understand how to use e-mails," Wood said. "It is like someone knocking on your door pretending to be from the gas board - you would not assume they are who they say they are and let them in."

Companies could also take precautions once they are aware of an e-mail spoof, said Wood. "Barclays made its customers aware of the scam and introduced a limit on transactions," he said.

However, some experts believe technical measures could counter the threat. Analyst firm Gartner said companies with strong brands, especially in finance and retail, should, for example, evaluate encryption for signing e-mails and web pages.

They should also secure SMTP gateways and proxy servers to ensure messaging servers cannot be hijacked and are not vulnerable to mass e-mail attacks. In addition, if the risk outweighs the costs, personal firewalls should be given to remote broadband users.

Smartcard readers and biometrics may also help, but high hardware costs mean this is not viable for many companies, Wood said.

Implementing too much authentication may affect customer service. "Most companies have fairly rigid steps for authentication, which have not helped combat spoofing," said Wood. "If authentication is too painful a process it might put people off."

Whether by investing in more technology or educating customers, companies need to address identity theft and related internet crimes, said Hynds.

"Criminals are becoming increasingly competent and it is reasonable to assume that their use of high-tech methods will increase in parallel with the growing reliance of financial institutions, businesses and individuals on IT and online transactions," he said.

"Every business has a duty to itself, its employees and its customers to be as security-conscious as possible. Routine application of software updates, employee education and holistic attention is fundamental."

How to combat identity fraud

Educate your customers. They must never provide financial information via an e-mailed link

Secure mail gateways to ensure messaging servers are not vulnerable to mass e-mail attacks.

Evaluate encryption for e-mails and web pages that include personal data

Deploy a cross-industry pattern-recognition application to detect suspicious activity and root out identity thieves from credit, debit and applications processes.

Source: Gartner and MessageLabs

Read more on IT risk management