While antivirus software has been doing much to reclaim the Internet for ordinary people, fears of identity theft through scams such as phishing and pharming (redirecting Web site traffic to a different bogus site) continue prevent many from conducting business online. Retailers, banks and most other organizations have a vested interest in making the Internet a safe place to do business, and some of that responsibility lies with the IT department.
The damage caused by phishing ranges from loss of access to e-mail to substantial financial loss. The U.S. alone loses billions of dollars to phishing scams every year and these figures are repeated in varying scales in all countries around the world. The reason for this is twofold — the skill of the phishers in their well crafted schemes and the ignorance and gullibility of the online community. Once a victim has in good faith given out their social insurance number and credit card details to a fake Web site, phishers are able to fake accounts using their name and reap the financial rewards.
Beware the spear fisher
Spear phishing is a relatively new technique that should be of concern to IT departments everywhere. Phishing is much like casting a large net; sooner or later the scammer will catch a fish. Spear phishing, on the other hand, describes any phishing attack that has a distinct target in mind — usually a certain company, government agency, organization, or group. Spear phishers send e-mail that appears genuine to all the employees or members within the targeted organization. The e-mail is usually from a trusted source — for example, a key IT support person — requesting something as innocent as user names or passwords.
If an employee responds with such information, or clicks links or opens attachments in a spear phishing e-mail, pop-up window, or Web site, that person might become a victim of identity theft. As well, the information may help the scammer gain access to the company’s entire computer system.
Spam filters are an important first line of defence against phishing attempts because they reduce the number of phishing-related e-mails that users receive. Anti-phishing software is available that helps to sniff out phishing content on Web sites, acts as a toolbar that displays the real domain name for the visited Web site, or spots phishing attempts in e-mail.
For banks and other organizations susceptible to phishing attacks, certain dedicated companies offer round the clock services to monitor, analyze and potentially shut down offending phishing Web sites. The Scandinavian bank Nordea, which was the target of a broad phishing scam in 2005, suspended its online service altogether until the threat had been neutralized.
What you can do
Since, for the most part, phishing only succeeds through social engineering, the best way to beat it is to ensure that users are wise to the conman’s tricks. Your company should inform its users regularly about the phishing threat and have written security guidelines that will help them in identifying and dealing with such threats. In particular, users should be made aware of the possibility that they may receive spoofed email purporting to be from the IT department. If in doubt over the legitimacy of such an email, they should be told to contact IT support staff directly.
One Internet pundit suggests that everyone with the time and energy should reply to the phisher with bogus information thus multiplying the time, energy and frustration required to gain any reward from such criminal pursuits.
A combination of knowledge and software are needed to beat the phishing problem. User education is important and helps prevent users from becoming the victims of most phishing attacks out there. However, such attacks are becoming more and more complex and it is getting increasingly difficult for users to spot some of the more sophisticated attacks without the aid of technical countermeasures. This is one of the reasons why anti-phishing solutions are also highly recommended for everyone.
What the authorities are doing
The U.S. was the first country to prosecute phishing perpetrators, followed closely by Britain and Brazil, both of which have actively pursued and convicted phishers. In 2005, the U.S. created legislation, the Anti-Phishing Act, which puts the guilty at risk of a five-year jail term or a fine of $250,000. Federal prosecutions aside, there are a number of lawsuits being pursued by such giants as Microsoft and AOL to bring the guilty to book.
Experts believe that the general rise in knowledge about phishing and the continuous improvement in methods to block it will ultimately clamp down on this particular criminal pursuit. Nevertheless, the criminals who profit from this multibillion dollar global fraud may yet prove themselves tough adversaries.
In a 2005 report entitled “Increased Phishing and Online Attacks Cause Dip in Consumer Confidence”, Gartner predicted that reluctance to do online business among consumers could inhibit U.S. e-commerce growth rates by one to three percent through 2008. The report stated that not only is phishing on the rise but also that consumer education efforts to combat it are being outweighed by the sheer numbers of people coming online with no knowledge of this particular activity.
With new ‘under the radar’ attacks using URLs embedded in attachments that install a keylogger, allowing a hacker to obtain user information covertly and remotely, many people are not even aware that they are the target of such attacks.
The impact of phishing on the online business community is substantial. Many people are now suspicious of all emails sent to them through ‘official’ channels. And as a result, they want businesses to provide proper secure connections at no extra cost. As well, they want to deal with Web sites that have the capability of authenticating themselves to the user, rather than vice versa.
More work for the IT department, and one more reason to diligently pursue the war on Internet scam artists.
Mikko Hypponen, Chief Research Officer at F-Secure Corporation, leads the Anti-Virus research lab that cracked the SoBig F. virus in conjunction with the FBI, and stopped the LoveLetter virus, the largest virus incident in the world.