Online “phishing” fraudsters, who try to con consumers out of their personal banking details to steal their money, target clients of Absa the most, data from a local e-mail company shows.

Yossi Hasson, MD of open-source e-mail solutions and network management company Synaq, runs a phishing signature database using an anti-spam service called Pinpoint SecureMail. Through this, it tracks monthly phishing volumes targeted at SA’s banks.

Hasson says the data collected is a subset of roughly 100 000 mailboxes belonging to Synaq’s Pinpoint clients. The sample set broadly reflects the overall picture.

It shows that in January, Absa clients were by far the preferred target of fraudsters, followed in second by First National Bank (see table below). Nedbank and Standard Bank clients were the least targeted, the Synaq data shows.

Hasson believes there are several reasons why Absa clients are targeted more than those who bank with other institutions. The main one is simply that Absa is SA’s largest retail bank, so it has more customers than any of the other banks to target.

“The user base within Absa consists of far more consumer or retail clients than Nedbank, for example,” says Hasson. “This makes it more of a target.”

Another reason is that Absa is “highly progressive” about its security measures and, because phishing is a numbers game, syndicates need to send out sizeable volumes in order to contend with Absa’s frequently updated security policies. The result is a large number of different Web addresses pointing to fake Web forms made to look like the genuine Absa website.

Hasson says all of the major banks still allow third parties to send e-mail on their behalf for promotional campaigns.

He says this makes it more difficult to differentiate between fraudulent and legitimate e-mails, but users should know that no bank e-mail ever asks for Internet login details or other sensitive security information.

In light of these phishing attacks, Hasson believes the banks are correct to have taken an aggressive stance to new personal financial management website 22seven, which requires its customers to provide their confidential bank login details to use the service.

“Being open to allowing a third party to have access to sensitive private information would just open up another hole in the banks’ security and anti-phishing efforts,” he says. “By allowing or approving 22seven’s access, in essence phishing syndicates would begin exploiting this new vulnerability by representing themselves as 22seven and asking users to update their banking details.”

Banks will have to be aware of both direct phishing attacks against their own services and attacks directed at those of their customers using 22seven.

He says 22seven should have worked with the banks to devise suitable and mutually agreeable approaches to accessing clients’ data, or have created a method by which users could “simply upload their financial information into the system without passing on their confidential data”. — Craig Wilson, TechCentral