by Lorraine Cosgrove Ware

Phishing Sinks Confidence in E-Commerce

Oct 15, 20052 mins
IT Strategy

Consumer confidence in the security of their online transactions is slipping due to the growth of phishing-related fraud and identity theft, Gartner reports. As a result, consumers are curtailing their online purchases.

Phishing is the sending of an e-mail by cyberthieves with a link to a fake website that is disguised to look legitimate, in order to lure recipients into divulging personal information. Gartner estimates that 73 million adults who use the Internet received a phishing e-mail between May 2004 and May 2005, and that 2.4 million online shoppers lost money as a direct result of phishing.

Most of the losses were repaid by banks and credit card companies. Nevertheless, 75 percent of the 5,000 online consumers who Gartner surveyed in May said they have become more cautious about where they shop online, and one-third reported buying fewer items than they would typically purchase due to security concerns. Eighty percent of those surveyed said they now trust commercial e-mail less, while 85 percent claimed to delete unexpected e-mails without ever opening them.

Unless companies take steps to combat phishing, the report says, they will not be able to count on online selling and e-mail as methods to draw customers.

Best Practices:

1]Use your website to educate customers about fraudulent sites. Warn them about phishing schemes you know about, and instruct them not to click on links provided in e-mails that purport to be from your company. Advise them to type your address directly into their browsers to get to your site. If possible, provide online customers with some type of authentication, such as a personalized greeting, every time they visit.

2]Make it a policy not to ask customers for personal information via e-mail, and remind them frequently of this policy. Enforce the practice with employees.

3]Have a process in place to take action against phishers when attacks occur, and to reassure customers. As part of this process, collect information from customers about the attack, specifically, the IP address of the phisher. Contact the ISP and report the incident, and then call law enforcement.