How does PayPal defend against phishing? One of the back-end defenses we have is a lot of fraud modeling. It's very advanced, and it's resulted in extremely low fraud rates compared to the rest of the financial services industry. We've gotten very good at detecting fraud on the back end, so what's [the phishers'] response? They generate more mail on the front end.
Can you quantify losses due to phishing for PayPal? Forty-one basis points is the total fraud number [on PayPal's fraud model], and we don't break out where phishing is in that overall mix. I will say, it isn't very high on that list. That's one of the issues here--there is a perception there is a huge problem, whereas the financials don't indicate that.
How much can you share about your fraud models? They're internally developed. We don't talk about what they do, because this is an area where the more you disclose about what the models are looking for, the more you're telling the bad guy how to evade them. I can say, they're broad-based, real-time front- and back-end inspection models. They look at a number of variables around behavioral patterns to determine whether a customer is who they say they are. But the proof of the pudding is in the eating: Our fraud rating is 41 basis points, or less than a half of one percent. That is substantially lower than any credit card company.
What levels of sophistication are you seeing with phishing attempts? Eighteen months ago, you could spot most phishing attempts--grammatical errors, sites with kludgy graphics. Clearly, they've gotten more professional since. There's way fewer errors being made that are giving away the fact that a piece of phishing mail has arrived or it's a phishing site you've arrived upon. In terms of phishing attacks, we're seeing increasing levels of vertical specialization in the criminal community. One guy focuses on a sliver of crime. That has increased.
How much responsibility should ISPs and carriers take for filtering phishing in the Internet cloud? That's a difficult question. The difficulty is, how do you incent someone who doesn't make more money if they address the problem or help you with a strategic goal? It's a question of how to link the problem to them so they get engaged. It is all about industry cooperation and dragging people into that communication.
Download the full interview with Michael Barrett at searchsecurity.com/ismag.