If you bank online you will be well aware of the warnings from your bank, reminding you not to send your account details, or online login details by email. Banks, online retailers and ISPs have been the biggest targets for fraudulent email scams (sending such emails is called phishing) but everyone involved in the publication and maintenance of websites needs to know how to protect themselves and their customers.

Wordspy.com defines phishing as “Creating a replica of an existing web page to fool a user into submitting personal, financial or password data.”  Phishing is a form of fraud whereby criminals generate emails which appear to be legitimate and official, in an attempt to trick consumers into providing user IDs, passwords, credit card numbers, bank account numbers, Social Security Numbers and other important information.

Typical phishing attacks are as follows:

o   A consumer receives an email purporting to be from her bank, saying they are upgrading their systems, and can she confirm her details, by visiting a web page.  The consumer views the web page and adds all of their login information to it.

o   A consumer receives an email from their ISP, outlining that they no longer accept payment by invoice, and all transactions must be credit card based.  The ISP user goes online and enter all of their credit card details.

o   A seller at an online auction site receives an email outlining that their product has been sold, but before all can be confirmed, they need to re–enter their log in and account details.  The seller enters all information, in order to make the sale as efficient as possible.

The email or web page on which this information is captured very often has the same look and feel as a company’s official website, and uses similar language.  The key difference is that when a victim submits a form to this site the data is sent to the criminal behind the site, who can use it to crack personal accounts and carry out identity theft.

The crucial danger of phishing is that it strikes at the heart of the fundamental premise of online business, which is the trust between the buyer and the seller.  Online retailing and online financial management is at last gaining real credibility, and research suggests that e–commerce revenues are going to break all records again in 2005, particularly as we move towards Christmas.

Against this very positive backdrop is sobering research from Forrester, estimating that identity theft crimes have increased by 700% over the past three years and that this number is set to rise.  They estimate that such crimes have cost American businesses and consumers over $50 billion.

There is now a real need, on behalf of the buyer and the seller, to take responsibility for handling private information online.  This can only be achieved by using robust authentication – online businesses must ensure that their customers are who they claim to be, and reciprocally consumers must know that the websites on which they conduct business are legitimate.

If you publish a website which retails online, or provides users with the ability to manage funds or finance, you must consider the following to protect you and your customers from phishing.

Publish a clear phishing policy – Make sure that the first time someone buys from you, and each time they have to log on that they understand the means by which you will / will not communicate with them.  Ensure they know how to recognise correspondence which is legitimate and filter out illegitimate communication.

Ensure your authentication is robust – Implement a password policy and insist that your customers use it.  Strike a balance between usability and security, based on the sensitivity of the data in question.

Build a site which makes key trapping difficult – If a user requires authentication for a particularly sensitive piece of information, ensure that they need to enter a different sequence of key strokes for each visit.  This ensures that key stroke recorders can’t get all of the information required to gain entrance immediately.

Use common sense – Implement good business practice in terms of staying close to your customers, answering their concerns quickly and implement a level of security which matches their needs and yours.

Phishing threatens the integrity of online interactions between e–businesses and consumers.  Companies that can make consumers comfortable that their transactions will be secure and their identities protected will gain a competitive edge as security and identity become ever more important.  Providers of online products and services – including financial institutions, ISPs, retailers, utilities and telecommunications companies – must take steps today to protect their brand and protect their consumers.