Global Trend

Gone Phishing

Cyber criminals have gone phi-shing ? and you might end up as the catch of the day. Phishing is the act of sending an e-mail that claims to be from a legitimate enterprise in an attempt to scam the recipient into providing personal data that will be used for identity theft.

The e-mail typically directs the recipient to a Web site where he is asked to update personal information ? such as passwords, credit card numbers, social security numbers, or bank account numbers that the legitimate business already has. But the Web site is phony and exists only to steal the user’s information.

In 2003, for example, there was a widespread phishing scam in which e-mail that looked like it was from eBay told people that their accounts were about to be suspended unless they clicked on a provided link and updated their credit information. The e-mail looked legitimate ? but it’s fairly easy to make a site look like the real thing, with an imitated HTML code and some cut and paste graphics. And by sending out the e-mail to a large number of people, the phisher was reasonably sure that a percentage of the recipients actually did have accounts with eBay and at least some of those would be cajoled into following the directions.

This practice, also known as “brand spoofing” or “carding,” was first identified in 1996. It is on the rise largely because it’s easy to do and because many Internet users are too trusting, and blindly follow directions.

So who’s doing all this phishing? According to a recent article in Forbes by Lea Goldman, they are “average students, bored stay-at-homes, and low-end criminals who have discovered how easy it is to pick the locks on the Web.” More seasoned criminals aid them in their efforts. Goldman reports that phishers “get technical help from any of 50 or more gangs of professional criminals, operating mostly in Russia and Eastern Europe, where legions of unemployed programmers have found steady work as free-lance hackers.”

How wide a net do phishers cast? Gartner, a technology consultancy firm, conducted a survey that showed 57 million American adults received e-mail attacks from phishers ? and more than 90 percent said the attacks happened within the past year.

Gartner’s research confirms that millions of consumers unknowingly fall for phishing attacks. And this has made consumers nervous. Phishing attacks undermine people’s confidence in real e-mail messages from legitimate businesses, threatening consumer trust in the foundation of Internet-based communications.

Everyone who uses e-mail is a potential victim. As Goldman notes, “Phishing has exploded in the last two years, becoming the crack cocaine of cyberspace ? easy to produce, easy to fall for.”

In the 12 months through April 2004, 57 million Americans received what they believed was a phished e-mail, according to Gartner. Even more seriously, 1.8 million Americans responded to the messages, and 980,000 said they were ripped off.

Direct losses from identity theft fraud against phishing attack victims ? including new-account, checking account, and credit card account fraud ? cost U.S. banks and credit card issuers about $1.2 billion last year.

But Forbes estimates that the amount stolen “is just a sliver of the total damage done. Figure in the amount spent on security software to stop the phishers, the damage to brand names, and the value of time lost straightening out the messes they make, and you have a multiple of that total. Guessing at an admittedly fuzzy total, Shawn Eldridge, chairman of the Trusted Electronic Communications Forum in Dallas, comes up with $50 billion.”

Among the most often targeted companies, based on the almost 2,000 documented attacks last July, were Citibank, U.S. Bank, EBay, PayPal, AOL, and Amazon. Financial services companies are targeted 75 percent of the time.

While there have been some notable arrests and prosecutions, phishing is a kind of electronic pocket-picking that’s difficult to stop. Forbes believes that the online industry in general is reluctant to put further safeguards in place because protocols such as asking for passwords for each transaction would make electronic commerce more cumbersome. And disallowing items to be sent to addresses other than a credit card’s billing address ? a serious deterrentto phishers ? would discourage gift-shoppers.

It may also be easier for a financial institution such as Citibank to simply block a stolen account than to spend the effort and resources to launch a prosecution. Also, sharing patterns of criminal activity with competitors and law enforcement officials would also allow them a peek into proprietary Internet procedures, which is not an attractive prospect.

Besides, phishing wouldn’t be a problem if so many people didn’t bite on those tantalizing e-mails. The best defense against the practice is for people to take responsibility for their own online security.

One of the best practices is never to navigate to an e-commerce site through a link provided by the third party; instead, always use your own bookmark or retype the address carefully.

Additionally, there are several sites that offer specific advice on how to avoid phishing scams and what to do if you think you’ve given information to a scammer. The Federal Trade Commission provides six guidelines:

If you get an e-mail or pop-up message that asks for personal or financial information, do not reply or click on the link in the message. Legitimate companies don’t ask for this information via e-mail. If you are concerned about your account, contact the organization in the e-mail using a telephone number you know to be genuine, or open a new Internet browser session and type in the company’s correct Web address. In any case, don’t cut and paste the link found in the message.

Don’t e-mail personal or financial information. If you initiate a transaction and want to provide your sensitive data through an organization’s Web site, look for indicators that the site is secure, like a lock icon on the browser’s status bar or a URL for a website that begins “https,” in which the “s” stands for “secure.” Unfortunately, no indicator is fool-proof; some phishers have forged security icons.

Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.

Use anti-virus software ? and keep it up to date. Some phishing e-mails contain software that can harm your computer or track your activities on the Internet without your knowledge. Anti-virus software and a firewall can protect you from inadvertently accepting such unwanted files. It’s especially important to run a firewall if you have a broadband connection. Also, your operating system may offer free software “patches” to close holes in the system that hackers or phishers could exploit.

Be cautious about opening any attachment or downloading any files from e-mails you receive, regardless of who sent them.

Report suspicious activity to the FTC. If you get spam that is phishing for information, forward it to spam@uce.gov. If you believe you’ve been scammed, file your complaint at www.ftc.gov, and then visit the FTC’s Identity Theft Web site at www.consumer.gov/idtheft to learn how to minimize your risk of damage from ID theft. Visit www.ftc.gov/spam to learn other ways to avoid e-mail scams and deal with deceptive spam.

We can forecast six likely developments from the phishing trend:

First, phishing attacks will continue to erode consumer confidence in online transactions. This will have a significant impact, not only on Internet transactions, but on services such as online banking and bill paying, which many financial services companies are counting on to reduce costs and expand their business.

Second, the double-digit expansion of U.S. e-commerce will slow unless providers are able to restore consumer confidence in the security of online business. Gartner envisions e-commerce growth will slow to 10 percent or less by 2007, if safeguards are not implemented.

Third, the threat of phishing presents a big opportunity for companies that can provide security for Internet commerce. Firms that offer new software or sophisticated screening techniques will thrive if they can establish a high probability of scam-free activity.

Fourth, banks will realize that they have inadequate systems to prevent fraud. They will be forced to establish better customer authentication procedures, and will start adopting new techniques that are beginning to reach the market. (For more details, refer to Trend #6 on biometrics.)

Fifth, average computer users will continue to be lax about their own Internet vulnerability. Enlightened users will become much more sophisticated about their own security. This will lead to a two-tiered computer marketing environment ? one geared for marginally adept users and one geared for premium, high-end users.

Sixth, security will be the vehicle that will “undemocratize” the Internet. Access will narrow for most users because of the increased cost of providing services to them with minimal security. Premium access will expand for those users who are more sophisticated.

References List :
1. Computerworld, January 19, 2004, "Phishing," by Russell Kay. ⓒ Copyright 2004 by Computerworld, Inc. All rights reserved.2. Forbes Global, October 4, 2004, "Cybercon," by Lea Goldman. ⓒ Copyright 2004 by Forbes Publishing Inc. All rights reserved.