Modernizing Authentication — What It Takes to Transform Secure Access
Today's most successful online phishing scams use increasingly complex and sneaky tactics to trick people into divulging their banking account numbers, passwords and other personal information to steal people's identities.
But the latest phishing scam using the Internal Revenue Service as the lure is actually employing a "greatest hits" approach that blends online come-ons with official-looking old-school faxes to pry sensitive data out of unsuspecting victims.
This week, the Anti Phishing Working Group (APWG) announced that it has teamed up with the IRS in an effort to limit the damage of new targeted phishing campaigns that use a combination of online and offline tactics to extract social security numbers, checking and savings account numbers and corresponding passwords to bilk consumers and companies out of millions of dollars in assets and merchandise each month.
This new initiative comes after the IRS and other popular online shopping sites and government agencies noticed a growing number of phishing scams that often started with an unsolicited e-mail that contained an attachment that was to be filled out and faxed back to representatives of the bogus entity.
In the case of the IRS, which has been a popular target for elaborate phishing scams for years, recipients tend to be more likely to respond and send in their personal information rather than face what turns out to be totally fictitious penalties outlined in the scam.
APWG and the IRS say these online/offline phishing scams cost the average person between a few thousand and tens of thousands of dollars, losses that officials said most victims don't realize until long after the crime is committed.
That could change now that the APWG has implemented the Fax Back Phishing Education Program, a mechanism that provides telecom companies and Fax-over-Internet-Protocol (FoIP) firms with the security information they need to immediately notify consumers the moment they've been scammed.
Once a known phishing syndicate is identified and reported either to or by the APWG, the offending fax numbers are logged in a database that is shared with telecos and FoIP providers. When a fax is sent to any of the blacklisted numbers, a fax cover sheet developed by APWG and the IRS's Online Fraud Detection and Prevention (OFDP) group is downloaded and sent to any victim or potential victim of offline phishing.
The fax cover sheet also provides a pair of links to report other incidents of alleged online or offline phishing. Those complaints are fed, along with the known data provided by APWG and other local and national law enforcement agencies, to FTC Sentinel, a consumer database maintained by the Federal Trade Commission.
Despite the growing sophistication of data thieves -- who often coordinate their efforts to better entrap unsuspecting consumers, according to the APWG -- the new initiative offers law enforcement and industry stakeholders a way to fight back.
"The APWG Internet Policy Committee commends the IRS for its role in protecting consumers against these fax-phishing scams," Laura Mather, co-chair of APWG's Internet Policy Committee, said in a statement. "The phishers continue to find compelling mechanisms for contacting consumers, and having the IRS work with us to create a program for protecting people who have been contacted by this type of scam shows that the crime fighters cooperate as well as the criminals."
Armed with the suspect fax numbers submitted by consumers and watchdog groups like APWG, the OFDP is able to disable the illicit fax numbers within 12 hours. So far, the OFDP said it has shut down more than 250 numbers in the past year.