Phishing: A New Age of Bank Robbery

Want to know why phishing attacks increased in 2014 to their highest level in five years? Compare phishing to the messy business of offline bank robbery.

In its most recent release of bank crime statistics (2011), the FBI reported 5,000 annual bank robberies in the United States. In 90 percent of those cases, robbers made off with some form of loot (e.g., cash, checks, safe deposit box contents) totaling some $38.3 million. These robberies involved the physical presence of the criminals, which not only exposed them to the possibility of getting caught, but also greatly increased their chances of being killed (10 of 13 robbery-related deaths that year were the perpetrators). Bank robbery is risky business. And with an average take of less than $8,000, it's a testament to the adage that crime doesn't pay.

Or does it?

Enter phishing, the easiest way for anyone with a laptop to become the next John Dillinger without the occupational hazards associated with traditional bank robbery. And with organizations facing average losses of $10,000 per attack, the cost benefit of phishing is just too good to pass up.

Tools of the Trade
What does it take to rob a bank? It starts with conducting surveillance, then gaining entry (preferably without being recognized), getting the cash out and, most important, making a clean getaway. It shouldn't be surprising that cybercriminals must follow similar steps when conducting a phishing campaign, but the availability and inconspicuousness of tools favor the phishers. The table below compares tactics, techniques and procedures between physical bank heists and phishing.

Small Timers, Big Takes
In January 2014, Florida couple Steve and Robin Barone were arrested for allegedly orchestrating a phishing scheme that compromised nearly 400 identities and resulted in the theft of $550,000. The pair was involved with a known cybercriminal element operating out of Nigeria, and had been in business for as many as four years before they were caught. What alleged criminals like this lack in some of the excitement and lustrous veneer of a modern-day Bonnie and Clyde, they more than make up for in volume of assets stolen. Phishing is an all-steak, no-sizzle enterprise. Oftentimes, this characteristic confounds investigations because there's little public outcry over even the most egregious phishing offenses.

Spreading the Wealth
Phishing is but one attack vector for which retailers must be on the lookout. It's important to note that although the financial sector is a fan favorite of phishers, it's by no means the only target. Today, medical records stored at hospitals, clinics and insurance companies are being stolen and sold just like bank information. In fact, last year the going rate for medical records was up to 10 times higher than that of financial information. And although it likely won't ever produce thrilling stories like those of Dillinger or Bonnie and Clyde, phishing is one of the easiest, cheapest and most effective means of theft today.

Kevin Kelleher manages analyst relations for Return Path, a provider of data solutions for email marketing optimization and fraud protection.