WASHINGTON – Al Johnston is the type of consumer that banks and other financial institutions have come to appreciate.
The 81-year-old Severna Park resident says he is tech-savvy enough to spot “phishing” — fraudulent e-mails that are victimizing a growing number of Marylanders by fooling them into giving up personal information.
“I get so many of these (e-mails) and they’re coming from places like Wachovia and Citibank,” Johnston said.
Phishers pretend to be associated with trusted brands of well-known financial institutions, luring unsuspecting consumers into turning over personal information. The practice cost U.S. banks and credit card issuers $1.2 billion in direct losses last year, according to Gartner Research, and security experts predict the pace of scams will not subside anytime soon.
That is prompting local financial institutions and other businesses to mount campaigns to address the problem with their consumers.
“The number of these attacks on consumers for their financial information is continuing to rise,” said Maryland Bankers Association head Kathleen M. Murphy in a recent letter to members warning of the hazards of phishing.
“Clearly, as we start to hear about trends, we want to alert everybody,” Murphy said in an interview, adding that some of the association’s 122 banks have started to report phishing problems.
Statewide, officials say consumers are reporting an increase in phishing attacks — although there are no hard numbers because consumers have not followed up the reports with formal complaints.
“We’re seeing more and more of these types of scams in the past year,” said Steve Sakamoto-Wengel, assistant attorney general for consumer protection. “And they’ve accelerated in the past few months.”
John Hall of the American Bankers Association said consumers are out of luck if their bank accounts are drained after they have mistakenly turned over information. But banks and other financial institutions are often left holding the bag, he said, when phishing nets Social Security numbers that thieves can use to open new credit card accounts.
Some of Maryland’s larger financial institutions are now considering how to address the problem.
“There’s been some discussion on what should be done, but we have yet to issue a statement (to clients),” said T. Rowe Price spokesman Brian Sullam.
Sullam said the Baltimore-based mutual fund has discouraged clients from disclosing personal information since it first began allowing electronic access to accounts.
“We’ve always made it clear that we never ask clients for passwords or anything that could give access to accounts,” he said.
That general warning may not be enough, however, according to security experts.
“Exploiting naivete and doubt is what phishing is all about,” said Carson Sweet, managing director of Fairfax, Va.-based Security Methods.
“Businesses need to assess and aggressively address any lack of clarity their customers have related to communications security, including phishing,” said Sweet, whose firm has worked with a number of Maryland financial institutions.
Baltimore-based Legg Mason, for one, has taken that aggressive approach.
Director of Marketing Sylvia Toense said roughly 75,000 clients of the financial services provider got an e-mail last December alerting them to phishing scams and reminding them that the company never solicits information from its clients via the Web.
Additional warnings were sent to Legg Mason clients this summer as the pace of phishing scams picked up, Toense said.
“We’ve not yet heard of any clients who have been affected by the problem,” said Toense.
Sweet said businesses like Legg Mason are making strides in efforts to stanch consumer and business losses from phishing, by alerting consumers of the potential dangers of unsolicited communication. But, he warned, the scam will remain a lucrative one, particularly for overseas hackers who are difficult to track.
“With law enforcement resources largely focused on tracking terrorist activity, it’s harder for banks to get assistance pursuing offenders internationally, even if they can be located,” said Sweet. “International phishers exploit that fact and are often brazen as a result.”
Johnston said he is not surprised that much of the e-mail he is receiving is generated overseas.
“You just need to read them to tell they’re not written here,” he said.
-30- CNS 10-01-04