Introduction

Internet fraud (by conservative estimates) accounted for $320,000,000 in 2007.¹   The threat to your clients’ businesses and to your own legal practices is real and substantial. The purpose of this article is (i) to familiarize you with the widespread Internet fraud schemes known as “phishing” and “spoofing,” (ii) to provide you with practical guidance for preventing Internet fraud, and (iii) to provide you with a template for responding to Internet fraud should it occur. Technical guidance as to specific computer strategies for preventing Internet fraud is beyond the scope of this article and should be addressed with a business organization’s information technology consultants.

Understanding the Problem

The most common and preventable Internet fraud schemes involve a combination of “phishing” and “spoofing.”² These schemes use email as an essential element of deception.³ Other Internet fraud schemes such as “pharming” do not rely on email responses, but instead use sophisticated virus and worm technologies to attack a computer system and trick the Internet browser on a computer system into connecting to a fake or “spoof” website.⁴ As noted above, the focus of this article is on “phishing” and “spoofing,” but the prevention and response tips suggested in this article below generally apply to other types of Internet fraud schemes.

             Phishing and Spoofing

“Phishing” is a type of Internet fraud where perpetrators send deceptive spam emails seeking personal information from the recipients.⁵ The emails are disguised so that the address and content appear to be from a legitimate source such as a well known bank or other financial institution. (Note that phishing scams may involve other impersonated entities such as, for example, PayPal™ or eBay®.)⁶ The contents of a phishing email typically request the recipient to update or otherwise provide information by clicking on a link contained in the text of the email.⁷ Estimates as to phishing email response rates vary between 1% to as high as 20%.⁸ The link will usually contain the name of a legitimate bank or other financial institution being impersonated. The link, however, connects the recipient to a fake or “spoof” website that the perpetrators operate. The spoof website is designed to look and operate like the real website of the organization being spoofed.⁹

Once at the spoof website, the victim is tricked into providing confidential information about their business organization such as bank account numbers, employer identification numbers, account information, and passwords. The perpetrators of a phishing scam then use the information to access the business organization’s accounts and withdraw as much money as possible, as quickly as possible.¹⁰

A spoof website uses the logos, content, and general design of the legitimate institution it is impersonating in order to trick the visitor into believing that he or she has linked to the legitimate website. Often the perpetrators will copy website content directly from a legitimate site. A spoof website will also usually contain warning information (which often is also found on the legitimate site) about how to prevent Internet fraud, which makes it more convincing to the victims.¹¹ Even though phishing emails and spoof websites can be very similar (if not identical) to legitimate sites, many often contain telltale signs that they are illegitimate, which go unnoticed by the victims of phishing and spoofing. The telltale signs include misspellings, words capitalized incorrectly, bad grammar, and a “look and feel” that is noticeably different than the legitimate website. ¹²

Given the daily barrage of spam emails (many of which slip through sophisticated spam email filters), business organizations should take measures to educate staff about phishing and spoofing and to implement best practices for prevention of Internet fraud, as discussed in this article below. 
     

Preventing Fraud

Whether or not a business organization has installed anti-spam software (and otherwise taken technology based measures to prevent phishing and spoofing), some phishing email will make it through such defenses and find its way into the employees’ email inboxes. The perpetrators of Internet fraud are constantly looking for ways through and around anti-spam computer defenses. So, a key method for preventing business organizations from being victimized is to educate staff about phishing and spoofing and to implement certain best practices concerning email policies generally and Internet banking policies specifically.¹³
 

            Educate Staff: Email Policy

One way that a business organization can help prevent itself from becoming a victim of phishing and spoofing is to prevent the organization’s employees from opening and responding to spam emails. Almost everyone is familiar with the concept of how phishing and spoofing works, even if they are not familiar with the terms “phishing” and “spoofing.” 

A person should not use a link in an email to access a website, no matter how legitimate the email seems. Based on the estimated response rates and annual losses, many employees and businesses seem to be unaware of this advice. In the day to day activities and pressure to accomplish tasks in a timely manner, many people simply forget the simple and common sense rules about not responding to spam email and about not using a link in an email to access a website.

Accordingly, every business should take regular steps to deter fraud and eradicate any complacency that might offer fertile ground in which fraud may take root. As an initial step, every business organization should have a written policy that advises employees not to open or otherwise respond to spam emails in their business or personal accounts. The policy should also advise employees not to access a website via a link in an email, even if they believe the email to be from a reputable source, such as the business organization’s bank or other financial institution.¹⁴  Employees should be informed that legitimate businesses will not solicit private information through email links, and employees should never provide personal or confidential information in response to such emails.

Furthermore, employees should be aware of the possibility that websites, when accessed through a search engine or an improper web address, may not be the legitimate website sought. Search engines such as Google™ and Yahoo!® contain filters and take steps to prevent such spoof websites from appearing in their search results. However, it is not possible to completely prevent such spoof websites from appearing, as fraudulent entities rapidly evolve their methods and technology. When accessing websites through search engines, employees must take care to ensure the site they reached is the site they actually sought. Similarly, employees must be diligent in entering URL addresses, as an incorrectly typed address may lead an Internet user to an illegitimate spoof website that closely resembles the genuine website.

 

Also, business organizations should require every employee (from the lowest ranking to the executive officers), upon being hired, to undergo initial training about the risks of phishing and spoofing. Since it is often the executive officers who have access to a business organization’s confidential information, special emphasis should be placed on their education and training.

Employee training may be as simple as having the information technology officer or another designated individual meet with new hires for as little as a few minutes to discuss Internet phishing and spoofing scams and how to prevent them. Business organizations should update training at least once annually, but ideally more frequently. Updates may include advisories as to new strategies that phishing and spoofing perpetrators are using to trick employees. Although outside consultants may be used to conduct training, it does not have to be a complicated or expensive endeavor. Often times, just a simple reminder to employees not to use any links within the text of an email is enough to prevent Internet fraud from phishing and spoofing.

             Internet Banking Policies 

A business organization should review its Internet banking policies periodically to ensure that appropriate safeguards against Internet fraud exist and are adequate. A business organization’s bank should be able to assist in this regard, but it is important not to rely on a bank or other financial institution to protect the organization’s accounts. Many banks and other financial institutions have inadequate safeguards in place and rely on a reactive (rather than proactive) strategy for dealing with phishing and spoofing.

Some best practices for Internet banking include: (i) placing “dual controls” on accounts, so that two people have to approve account access and transactions, (ii) dispersing confidential information among several employees, so that no one employee has all of the confidential information needed to access a business organization’s accounts, and (iii) setting reasonably low limits for account withdrawals. Although such policies will not completely eliminate the risk of an organization becoming a victim of Internet fraud, they will help to reduce the possibility of such attack being successful and, if fraud does occur, they will help to limit the damages. Not all banks offer the same level of protection and sophistication against detecting fraud.¹⁵ A business organization should research its bank’s capabilities in this regard. Similarly, a business organization should research its own insurance coverage.

Responding to Fraud

Even with well conceived and implemented strategies for combating phishing and spoofing, many business organizations will continue to be the victims of this type of Internet fraud. So, a business organization should also have a strategy in place for dealing with Internet fraud once it occurs. A quickly implemented and well-coordinated response may often allow a business organization to recoup some or all of the lost funds and prevent further losses. A strategy for response to a phishing scam should include (i) immediate coordination with the business organization’s bank, (ii) internal investigation, (iii) coordination with law enforcement, and (iv) public relations.
 

            Coordination with a Business Organization’s Bank

As soon as a business organization becomes aware that it has been (or potentially has been) the victim of phishing and spoofing scam, it should contact its bank immediately to shutdown access to the accounts that have been compromised. Also, a business organization should immediately restrict access to bank accounts for any employees responsible for responding to the phishing email, at least until an internal investigation can be coordinated and completed. Legal counsel should be directly involved in this process to ensure that a business organization complies with all legal requirements as to the employees involved. Legal counsel also will be able to assist direct coordination with the business organization’s bank and law enforcement (as discussed below).

As part of its response strategy, a business organization should obtain (and have readily available) emergency contact information for its bank’s fraud prevention department. Sometimes perpetrators of phishing and spoofing scams implement an attack close to a weekend or holiday in order to slow down bank or other financial institution response times. With emergency contact information in-hand, an organization will not have to delay contacting its bank. This will allow the bank to promptly shut off access to the compromised accounts.

Once notified of potential fraud, or becoming aware of the fraud on its own through protective measures that are hopefully in place, a bank should immediately request that any recipient banks “reverse” the fraudulent transactions. The response time for initiating such reversal requests and for responding to phishing scams varies greatly among banks and other financial institutions.¹⁶ For this reason, a business organization should monitor closely the response of its bank and request written verification that the reversal requests have been initiated. A business organization should also require frequent updates as to the status of all such reversal requests. The bank should be able to provide a business organization with a list of all of the recipient banks and an itemization of deposit amounts.

A phishing scam often involves many recipient banks with deposits being made into individual accounts in amounts under $10,000 (which do not trigger filing requirements under Federal law). Once in the accounts of the recipient banks, the money is then usually transferred to another account of the perpetrators, which is normally outside of the United States. Third parties are sometimes duped into allowing their personal bank accounts to be used as a place to hold the stolen money temporarily.

For the reasons stated above regarding response times, and as a general matter of sound due diligence, a business organization should follow up with all recipient banks to ensure that the reversal request has been executed and inquire into the status of the reversal. Quick action is critical. If a reversal request is not implemented prior to the money being removed from the initial recipient bank, the ability to retrieve it (for practical purposes) becomes unlikely.
           

Internal Investigation

As part of its due diligence, a business organization that has been the victim of what appears to be a phishing and spoofing scam should conduct an internal investigation (i) to confirm what has happened, (ii) to ensure that no one within the organization was involved, and (iii) to implement corrective policies and strategies for the future. Depending on the breadth of what has occurred and the severity of the damages to the business organization, an organization may want to hire a private investigation firm to conduct the review.

A business organization, however, must be careful throughout the process to preserve all legal privileges and otherwise avoid legal pitfalls with respect to employment related issues. Accordingly, legal counsel should carefully coordinate and control all aspects of an internal investigation. Coordination regarding an initial investigation should begin immediately after a business organization learns that it has been the victim of a phishing scam. For example, it is essential that the business organization physically secure any computer that was involved in a response to the phishing and spoofing scam. Although the technical aspects of any response to a phishing and spoofing scam are beyond the scope of this article, the information technology department within a business organization should be notified immediately to assess the situation and take appropriate remedial steps.
 

            Coordination with Law Enforcement and Other Authorities

In most circumstances, a business organization is well-advised (and may be legally required) to report a phishing scam to law enforcement authorities. A business organization should also consider any other reporting requirements that it may have under state and federal law. It is, however, important to note that having the appropriate law enforcement officials involved may be crucial to assisting with recovery efforts by the business organization’s bank and the recipient banks.

Most sophisticated phishing and spoofing scams originate and involve crime rings located outside of the United States.¹⁷ For this reason, including the Attorney General at the New Hampshire Department of Justice (www.doj.nh.gov/consumer) and the Federal Trade Commission (www.ftc.gov) in any report to law enforcement is an efficient way to coordinate this matter at both the state and federal levels (and where applicable such officials may be able to coordinate international efforts as well).

A business organization should not expect, however, that law enforcement officials will be able to provide substantial recovery from the perpetrators of phishing and spoofing scams. Even if the phishing scam perpetrators are caught, recovering any money from such individuals and organizations is unlikely.

            Public Relations

A business organization should prepare a draft response statement to issue to the press in the event that the organization becomes a victim of a phishing and spoofing scam. The purpose of the response may vary, but generally will be used to let the public (including customers) know that the situation is being dealt with in a competent and efficient manner. Many business organizations claim that the most significant effect of phishing is damage to reputation.¹⁸ A carefully drafted public statement can reduce the likelihood of this occurrence.

Crafting an initial draft of any public statement after a situation arises, can be distracting and may draw the attention away from efforts to recoup all amounts possible. The organization will need to determine (based on the facts) whether such a statement should be issued prior to inquiry from the press or only upon receiving such inquiry. Marketing personnel may prepare the draft statement, but legal counsel should conduct the final review and assess the facts of any given situation prior to any statement being issued.

Bank Liabilities and Responsibilities

Several banks have instituted added security measures for online banking transactions such as fraud prevention web pages, encrypted transactions and firewalls. Despite these security efforts, phishing and spoofing scams do still frequently occur. Although there are federal statutes that protect individual consumers from incurring losses due to these scams, these statues do not generally extend to business organizations.¹⁹ Thus, it is important for legal counsel to carefully examine a client’s banking contracts (i) to determine whether they are at risk of financial loss in the event of a phishing or spoofing scam; and (ii) in the event fraud has already occurred, to determine potential liability and defenses under such contracts.

Although liability often rests with the consumer under standard banking contracts, business organizations may be able to hold banks liable for certain negligent business practices such as failing to alert the organization of potential or actual compromises of confidential information or failing to take reasonable preventive measures.²⁰ For instance, if a bank is aware that someone operates a spoof website and does not institute “take down” procedures – a procedure that involves sending a “request to the operator of the free web space, or . . . relevant ISP who will temporarily remove (the spoof website) from the Internet,” ²¹ – a negligence action may be permissible for breach of fiduciary duty.
  

Conclusion

Phishing and spoofing scams have the potential to affect the business organizations that you represent and even your own practices. Implementing measures to reduce the likelihood of being a victim to such scams, and knowing what to do should one of your client’s or your own practice become a victim, goes a long way in fighting this significant and growing problem.