By JEN WIECZNER
One fall day in 2009, the phones started ringing off the hook at the Virginia offices of Nacha, the electronic payments association that oversees the processing of billions of transactions each year. On the line were dozens of consumers and financial institutions, clamoring with questions about emails they'd received -- from Nacha, they believed -- telling them there was a problem with their payment.
The agency quickly realized its identity had been hacked. And it turned out to be only the first incident of many that since plagued Nacha with increasing frequency and sophistication. Over the past year, cybercriminals have sent out millions of messages -- as many as 167 million forged emails in a single day -- that use Nacha's logo, phone number, physical address and even verbiage from its own website in order to appear completely authentic -- all with the goal of filching sensitive financial data from Nacha's customers. "They're stealing our identity, just as they do anyone else's," says Scott Lang, Nacha's vice president of association services.
It's a potent new phase of the cybercrime wave: "Spearphishing," in which online scammers masquerade as legitimate corporations and government agencies and target the people most likely to open their emails. These messages increasingly look nearly identical to authentic emails from companies, commandeering everything from their email addresses to logos andelectronic watermarks. They usually lack the traditionally telltale signs of email scams, such as typos and jumbled sender addresses.
What the messages have in common is urgency: Your tax payment just bounced, your account is overdrawn, there's a problem with your 401(k). And, they go on to tell you, you must click such and such link to rectify the problem. Consumers who actually do so, however, expose themselves to fraud and identity theft -- typically by unknowingly downloading "malware" that sits on their computers and relays passwords and account numbers to whoever engineered the scam.
These targeted attacks appear to be a very effective weapon: While overall spam volume dropped nearly 87 percent in 2011, to 40 billion daily messages, the cybercriminal profit from the more personalized attacks -- which represent a very small share of overall spam -- has quadrupled, according to a Cisco white paper. Security experts estimate that phishing attacks cost brands and corporations more than $98 billion a year.
What makes spearphishing so effective, experts say, is that it turns consumers into victims of their own tech savvy: In a world where consumers can do everything from order groceries to pay their credit card bills and mortgages online, it no longer seems strange for government or financial institutions to send notifications via email, even though many organizations say they never reach out to consumers this way. There's another layer, too. "Fraudsters who use these types of scams are trying to connect with the recipient emotionally," says Lang. "People react to anything about their money."
A few years ago criminals could send out a mass blast asking people to input their credit card numbers and get a few to bite -- the origin of the term "phishing." Now the terminology for the scams has evolved to reflect its greater sophistication. "Spearphishing" describes the targeted attacks, while pursuing an individual who has access to a potential jackpot is considered "whaling." Cybercriminals "are realizing that the old 'just look for a purse that's left unattended' [tactics] aren't paying the bills anymore," says Patrick Peterson, the CEO of email security firm Agari.
To get even more bang for their buck, cybercriminals are going after bigger bank accounts, especially those of businesses whose greater payment activity can mask unauthorized siphoning. Those businesses' customers, in turn, can be at risk: If scammers can compromise the businesses, "they can get the keys to the kingdom to millions of users," says Craig Spiezle, executive director of the Online Trust Alliance, a nonprofit group that develops countermeasures to online security threats.
The phenomenon mirrors the way marketers have boosted sales revenue with targeted ads that lead to greater conversion rates: tailoring scams to consumers increases the amount of people who click. Phishing rings often customize their email blasts and time them to hit inboxes when recipients are expecting an email about their tax refund or 401k. "The abuse from forged email has shifted from, 'God, its clogging up my inbox,' to being really malicious and damaging," says Spiezle.
In all, nearly 400 brands were used in phishing scams in the first quarter of 2012, an all-time high, according to the Anti-Phishing Working Group, a non-profit dedicated to stopping email fraud and cybercrime. Virtually no one is immune: impersonated brands range from social media networks to the Federal Bureau of Investigation. The Online Trust Alliance estimates that at least half of the Federal Deposit Insurance Corp. member banks and leading government agencies have become pawns to cybercriminals, their logos and domain names hijacked to trick consumers. On its 2011 list of top 10 scams, the Better Business Bureau, a frequent phishing target, crowned itself scam of the year.
When companies' identities are used fraudulently, it compromises consumers' faith in the brands. "Nobody wants to say, Boy I really like my bank, they only get robbed once a week," says Pat Cain, a resident research fellow at the working group. But the attacks also threaten the corporations themselves, which are vulnerable to employees clicking on malicious emails. Cybercriminals have gotten trickier, singling out people in HR departments by attaching bugged resumes and using social media to garner personal details about their targets.
Scam emails purported to be from the Internal Revenue Service, say experts, are among the most insidious. One such scam, sent on last year's October 15 deadline for businesses' third-quarter taxes, appeared to come from the IRS division that processes online payments. It told recipients that their tax payment did not go through -- a perfect trap, says Mr. Peterson, the security executive, for small business owners and the self-employed. "The scarier the government organization, the more they tend to get abused," he says. The IRS, for its part, says it never initiates contact with taxpayers via email, and that it posts warnings about the scams on its website.
The new generation of phishing scams may not raise the traditional red flags because they don't ask consumers to do something unnerving like enter their social security number or fax a copy of their passport to Uzbekistan -- all they have to do is click a link. A malicious software program is often then automatically installed on the consumer's computer, lying in wait like a career conman out of "Ocean's 11" for the user to view or enter sensitive information.
Of course, whether the scammers can hook a consumer depends on how convincing the bait looks. Fueling the rise in spearphishing profits is a thriving black market for "phish kits" which scammers use to generate authentic email templates and build the malware needed to infect computers. Cybercriminals may even barter skills to improve their operations, such as swapping logo designs for mailing lists. "There's this underworld economy of bad guys trading skills," says Spiezle, of the Online Trust Alliance.
Leaders in the Web and security industries have been working toward a solution. The problem dates back to the early 1980s when email was invented, and its forefathers could not anticipate its modern ubiquity or the threats it would face. That's a challenge for the groups currently trying to basically retrofit the entire electronic mail system with improved security measures. "It's like changing the jet engines on a 747 while it's in flight," says Peterson, Agari's CEO.
In January, more than a dozen email, financial services, technology and social networking companies -- ranging from Facebook to Fidelity -- announced a new anti-phishing initiative called Domain-based Message Authentication, Reporting & Conformance, or DMARC.org. Its supporters hope to foster collaboration between email providers like Google and Yahoo and corporate email senders to create an authentication system that would prevent unauthorized use of email domains like IRS.gov or PayPal.com. Nacha, meanwhile, says it has partnered with Microsoft's Digital Crimes Unit to disrupt phishing scams using its identity, in an operation that has decreased fraudulent emails by 90 percent.
Still, short of a system overhaul, some experts believe consumers will still be vulnerable. "I don't think you can assume that smart people don't get sucked into these things," says Phil Hay, a security threat analyst, "because they do all the time."