However, the financial risk that's connected with each credit card transaction isn't the only hard dollar cost to corporations. "In most cases so far, as a matter of good customer relations," said Jevans, "where a customer has experienced a loss as a result of phishing, the spoofed institution has [reimbursed them] even if their policies don't expressly guarantee that treatment. As evidence of how this cost is hitting the bottom line, several Australian banks have set aside a $2m fund just to cover any losses associated with phishing."
Jevans cited other areas of loss as well. "When NatWest had to shut its site down, it incurred the added expense of setting up and manning a phone number that customers could call. In situations like that, dissatisfied customers that have to wait a long time on jammed phone lines might take their business elsewhere," Jevans said.
According to Jevans, another unexpected cost could arise after a large number of accounts are successfully phished. Jevans said the cost to issue new credit cards, accounts and passwords is about $50 to $60 per user. "You can see how the costs can quickly escalate if 2000 accounts are compromised. Not only that, once a phisher has succeeded with a particular institution, the trust chain -- especially in email -- is broken. So, it makes it much more difficult for the institution to maintain a relationship via email with its customers."
Liability is yet another area of concern for organisations that are spoofed. Jevans said that one of the Anti-Phishing Working Group's members is being sued by customers whose accounts were successfully phished. Whether the plaintiffs will get anywhere could be the topic for an entire column, but regardless of whether a company wins or loses such a case against its customers, it still must bear the legal costs. The spoofee may not be the only target of such a lawsuit. In an effort to cover their tracks, many phishers will publish their web pages on Web servers that they've hacked into, unbeknownst to the operators of those Web servers. Under these circumstances, it's entirely possible that the operator of the hacked Web server could be sued on the grounds of negligence through lax security as well.
While businesses everywhere are staring down the barrels of phishers' shotguns, they're also trying to figure out how to put a stop to it. As with spam, the solutions are primarily technological, legal, and social. The biggest priority currently is to deal with the major phishing attempts as reports of them surface. Obviously, the first order of business is to disable the offending page. "Depending on the situation," Jevan said, "this could require any number of techniques. For example, if the phisher published the page by hacking into a legitimate server, you can't just go and shut that server down or have all the paths to it cut off by the ISPs. In some situations, that's what you need to do, but in others you have to work with the operator of the server to remove the offending page."
Jevans warns that even the most proactive of responses to a phishing report may not be sufficient. "It can take anywhere from 19 hours to 6 ½ days before a site or a Web page is cut off," said Jevans. "It takes longer when the sites are located overseas and increasingly, more and more of these sites are showing up in Eastern Europe and Asia. Quite often, by the time something is shut down the damage is done." Jevans noted that pilfered funds pass through temporary accounts and are eventually electronically shuffled to offshore accounts in a way that makes the money trail almost impossible to follow. "Regrettably, no phishers have been caught yet," Jevans said.
