Banks failing to act on business ID theft

Financial institutions need to do more to protect against criminals who mimic their online corporate identities to rob people, says a leading IT security lawyer.

"There's been a big rise in highly sophisticated attacks that combine phishing with malware, and use social engineering to lure the unwary into giving up their bank account details," says Jonathan Armstrong from legal firm Eversheds.

"We're past the badly spelled phishing attacks that get sent to everyone in the world," he says. "These days attacks are very professional-looking, purporting to come from real-sounding people."

There is an onus on banks and others, he says, to protect their own Internet reputation, check abuse of domain names and educate customers so they don't fall for scams.

He adds that the US has stringent laws to force financial firms to engage with people who fall prey to web crime conducted in their name. "In Europe, the law is softer," he says. "But data protection registrars all over the continent are under pressure to bring private prosecutions against banks who do not protect their systems and act to prevent fraud."

A report out today from security company ScanSafe backs his warning by indicating a significant rise in the number of web virus attacks designed to steal financial information from users, 310 per cent up on 2005.

"Not only did we see relentless growth in spyware throughout the year, up 254 per cent, but we saw that it is increasingly harbouring more sinister payloads," said Dan Nadir, vice president of product strategy at ScanSafe. "We also noticed a trend towards web viruses being used to spread spyware. The net result is that the line between spyware and Web viruses has become blurred."

Some 65 per cent of all web virus payloads ScanSafe detected were intended to achieve some direct financial benefit.

"In 2006 more than any previous year, the web became ground-zero for criminal malware attacks," said Nadir. "The nature and types of threats are proliferating so quickly and becoming so sophisticated that the web has become one of the fastest growing threat vectors. The key lesson is that you cannot simply rely on periodically updated databases of suspect URLs or anti-virus engines alone to protect your network from web threats."

One in five web searches now generates links to either malware or inappropriate content, says ScanSafe. Offensive content represents the greatest risk, says Nadir, accounting for 80 per cent of blocked searches.

This highlights the increasing risk for corporate users, he says with search results not only negatively impacting productivity if not managed correctly, but also representing loopholes for information leakage and legal threats.