Phishing for information Featured

7:00pm EDT December 31, 2006

When is the last time you received an e-mail notice in your inbox requesting personal information — a PIN number, user ID or password that you wouldn’t surrender to your reliable assistant, let alone some stranger over the Internet? But wait — the notice originated at the bank. It bears the bank’s logo and colors, and it links directly to the bank’s home page. It must be legitimate, right?

“In the last five years, Internet fraud has become more sophisticated and prevalent,” says Craig Johnson, president and CEO of Franklin Bank in Southfield. “Fraudulent attempts to get customer information through means like telephone and letters have shifted to the Internet because it is quicker and a lot more difficult to detect.”

Called phishing, criminals dupe individuals into sharing personal data by sending out convincing e-mails that lead consumers to Web sites masterfully created to resemble those of banks and financial institutions. Phishing is one of the fastest growing forms of consumer theft in the United States. If you’ve used e-mail to conduct business in the last five years, you’ve probably been a phishing target.

Here, Johnson discusses the implications of sharing private information over the Internet and provides information that will help you discern whether that ‘fraud alert!’ e-mail in your inbox is a scheme.

How can you tell whether an e-mail is fraudulent when the logo looks exactly like a bank’s and the e-mail even links to the bank’s home page?

Banks are frequent targets of phishing, and con artists are well-versed in the technology required to duplicate bank home pages and create e-mail notices that look so legitimate that even the most astute business owners are duped into believing that requests for security information are valid.

But banks would never send their clients a notice requesting a PIN number, password or user ID. Never. You immediately know that these requests are fraudulent because banks simply do not ask for this information over the phone, by mail, or over the Internet.

What are common ways that con artists ‘go phishing?’

What we see most often is when con artists duplicate our Internet sign-on page and send out notices via e-mail. These are blanket notices claiming to be from Franklin Bank, and they are sent out to millions of e-mail addresses. They say something to the effect of: For security purposes, we need you to verify your user ID and password. But when you enter your user codes, that gives the scammer access to your accounts. Within minutes, they have your user ID, password, Social Security number, account numbers — all your personal information.

How do banks respond to fraudulent Internet notices?

We have to be much more vigilant about monitoring that type of activity and more aggressive in enforcing our policies. For example, we recently dealt with a fraud e-mail, and when we contacted the service provider, it was located in Bangladesh. Even when you shut down one of these fraudulent service providers, they will move on to another scam. The best thing business owners can do is to train their staff to detect phishing and limit access to account passwords.

How many people really assume these fraudulent e-mail notices are valid?

Because of the high quality of material, the e-mails actually look like they are from the bank. People assume we are trying to gather information and once they type in their passwords, they’ll be able to access their accounts online, no problem. But instead, the con artists wipe you out — your money is gone.

How can those who bank online — and that includes most business owners today — protect themselves from exposure to Internet fraud?

If you complied with an e-mail request for personal information, you feel you are victim of a fraud, and your account balance shows it, then you have approximately 60 days to make a claim of fraudulent activity on those transactions. Go to your bank and fill out an affidavit. The bank will decide whether to award you with immediate conditional credit pending an investigation. This decision will depend on the claim. At Franklin Bank, any claim that exceeds $500 requires investigation. The dollar limit will vary at different financial institutions.

CRAIG JOHNSON is president and CEO of Franklin Bank in Southfield. Reach him at clj@franklinbank.com or (248) 386-9860.