Security experts are saying that a well-intentioned effort by the New Jersey
Office of the Attorney General to combat phishing may backfire.

Earlier this week, State Attorney General Anne Milgram called
on four banks -- Bank of America, Citibank, Washington Mutual, and New Jersey-based
Sun National Bank -- to provide her with details on how they respond to phishing
incidents.

This is a good move that will probably raise awareness about phishing, observers
say. However, Milgram also asked the banks to send e-mail to their online customers,
warning them that the bank has been a recent target for phishing scams and offering
advice on how to tell fake e-mails form the real thing.

That raised a red flag with anti-phishing experts.

"The New Jersey Attorney General asking the banks to send out another
e-mail to clients is opening up ... those banks to be phished yet again,"
said Paul Laudanski, leader of the Phishing Incident Reporting and Termination
squad project. "I can see the phishers writing in a new e-mail scam campaign
'The New Jersey AG has asked us to inform you that you have been phished, please
click this link to secure your account.' Trouble, trouble, trouble! This is
a setup for failure," he wrote in an e-mail message.

Dave Jevans, chairman of the Anti-Phishing Working Group said that while he
applauded Milgram's effort to educate consumers by inquiring directly with bank
CEOs, he "would have preferred that the Attorney General waited to hear
back from these banks before issuing a request to send e-mails out to all their
customers. That type of e-mail can set the stage for waves of copy-cat phishing,"
he said via e-mail. "If the phishers send out fake e-mails of this type
before the banks get to it, there's a potential problem."

Even Katherine Tassi, Washington State's assistant attorney general, said she
thought there could be problems. "Consumers are already confused enough
about whether e-mail from a bank is authentic or not," she said via e-mail.
"A lot of banks do, in fact, communicate by e-mail to their consumers,
which is something that makes the problem worse." That's because consumers
become more trusting of the e-mails, even messages that may be from a malicious
source.

Milgram's spokesman, Lee Moore, said that banks should use every means possible
to educate their customers about phishing -- including e-mail. "Banks need
to compete with the phishers in the customer's e-mail box with the right message,"
he said.

The New Jersey AG has been receiving more and more phishing complaints of late
and is coming to view the phenomenon as a growing concern, Moore added.

As of late Thursday, his office had not heard back from any of the banks.

IDG News Service

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine