Companies warned of corporate ID theft

Companies warned of corporate ID theft

Summary: Individuals have been warned about the threat of identity theft for years. Now it's the turn of businesses.

SHARE:
Individuals have been warned about the threat of identity theft for years. Now it's the turn of businesses.

U.K. police have said companies need to be more aware of the growing risk of corporate identity theft, following a recent spate of frauds that targeted customers of several high street banks.

The frauds reflect the experience of Australians in the last few months, who have been bombarded with fraudulent spam purporting to be from the National Australia Bank, ANZ, Westpac, St George bank and PayPal. The e-mails link to a Web site designed to look like the legitimate organisation's Web site, which then attempt to capture credit card and account details from the user. The latest tactic is for an e-mail to claim the users credit card has already been charged, and try to trick the user into entering the details to stop or reverse the payment.

The National Criminal Intelligence Service (NCIS) in the UK, which works with the UK's law enforcement agencies to fight organised crime, is concerned about this growing phenomenon because the general population is often not computer-literate enough to tell the difference between a spoof e-mail or Web site and a genuine one. According to the NCIS, this lack of education makes it relatively simple for organised criminals to target online banking customers in an attempt to gain access to their accounts.

A spokesman for the NCIS, who requested anonymity so his name would not be used in future e-mail scams, said companies should work towards reducing the risk of their corporate identity being abused.

Basic precautions could start with a company ensuring it owns all the different permutations of its name. For example, if a customer received an e-mail from or was redirected to a Web site using the "barclays-banking.com" domain, they might believe it to be genuine, but Barclays does not own that address; at the time of writing, it is available for anyone to buy. Similarly, although Lloyds TSB owns "lloydstsb.co.uk", it does not own "lloydstsb-bank.co.uk", which could easily be used in a future 'phishing' trip.

This tactic would please domain name sellers, who often try to get companies to register as many variants on their name as possible.

The NCIS spokesman told ZDNet UK that people need to get to know the e-mail systems as well as they know the traditional postal system. "People know that stamps are perforated, business envelopes look a certain way and if they get a handwritten envelope from a business, they think 'that's a bit strange'. But with e-mail, although those indicators are present, people have not yet learned to look for them," he said.

Nigel Miller, commerce and technology partner at law firm Fox Williams, said banks are in a tricky position because on one hand they encourage customers to migrate to online banking services and try to convince them they are safe, but with the other hand they have to warn them of the risks. "What is the responsibility of the bank to educate their customers? It doesn't sound very good when you are trying to sell them a service, but have to tell them how risky it is," he said.

James Pearce from ZDNet Australia contributed to this report.

Topics: Collaboration, Banking, Malware, Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Imagine if Banks did Interbank transfers of
    money based on domain names.

    Yet many web based SSL Certs might
    only verify domain names,if
    the end user bothers to read them to see if they
    are in fact valid.

    This type
    of presentation level fraud is predictable,
    and end users are
    not to blame for being fooled. It's the system
    itself that has been perpetuated that bases
    identity on domain names. It's time that
    financial institutions be held accountable
    for on line practices which can be so easily
    impersonated, and stonger naming put into place.
    anonymous