Malware

Cheat Sheet: Phishing

Everything you need to know about these scams...
Phishing? Isn't that spelled wrong? Rods, reels, hook, line and sinker and all that...
'Hook, line and sinker' is strangely relevant but this has nothing to do with harvesting our rivers, lakes and oceans for fish - this is all about fraud and con artistry.

Go on... sounds 'phascinating'...
Very droll (the name is simply based on a hacker convention of rewriting words with 'f' as 'ph' - as in 'phone phreaking'). At its simplest level phishing is a case of con artists asking users for their bank account and other personal details and a user obliging.

You're not telling me it's that simple?
As the name suggests it require a little angling - a little invention on the part of the scammer. Typically they need to use 'social engineering techniques'.

Social engineering? Explain please.
Typically these scams involve a spoofed email - often claiming to be from a bank or a payment services company such as PayPal. Often they will say you need to confirm your account details by visiting a cleverly spoofed version of the company's website. It looks official - sometimes - but via these dummy pages victims are often surrendering a lot of very sensitive and important data.

So these are very clever scams?
They display varying degrees of sophistication. Some are plain text and clearly bogus but some are very advanced and could be the real thing bar a few give-away signs - such as an inconsistent URL - which appear genuine bar a strange word or rogue character which may not be picked up by the user when they scan the page with their eyes and assume it to be genuine.

Mark Sunner, CTO of MessageLabs, says: "Phishing scams are really quite sophisticated - it's high level social engineering and for individual users the financial losses can be huge."

Surely though you'd have to be a little foolish to be duped?
There is always going to be an element of gullibility about people who fall for these scams - but don't underestimate the sophistication. A few have fooled large numbers of users - 30 million Americans were duped last year. But of course there are also people out there who fall foul of such ploys far too easily. Over the years there have been instances of people submitting details to spoofed banks they don't even bank with - simply because it looked official and there was some underlying threat that panicked them, often along the lines of 'Your account will be closed within seven days if you do not confirm the below information' when requesting name, date of birth, credit card number and similar details.

Who is being targeted?
The scammers aren't picky. Barclays, Citibank, NatWest, Lloyds TSB and Halifax are a few of the banks who have been used already. Auction sites such as eBay have also been used for phishing scams - though the idea there is slightly different.

So what do they do with the auction sites?
The scam will be emailed out to large lists of people asking them to confirm their eBay or QXL account details for example, because the database is being cleaned up, or some such excuse. Obviously a number of recipients will be members of popular sites such as eBay and many of those will be fooled. Once the scammers have people's IDs they can then log in as that person and start selling bogus goods - knowing any comebacks won't hit them.

How much of a problem is this?
It's a huge problem, for a number of reasons. The most obvious issue is that people who are falling for this kind of scam are often stung very badly financially. Phishing is now the fastest growing form of consumer theft. Then there is the fact that the bulk of phishing scam emails is adding to the general deluge of spam.

So give me some numbers.
According to MessageLabs, phishing has certainly reached plague proportions. In September 2003 the number of phishing emails encountered by MessageLabs was 279. By May this year - just eight months later - the company saw almost 250,000 of them.

Blimey! What's being done about this?
As with other scams there are processes in place for reporting these phishing emails. But essentially law enforcement agencies are attempting to stem a near impossible tide. You can find out more at the website of the National Criminal Intelligence Service. Essentially though, education will prove more beneficial than legal means of prevention and prosecution. Banks in particular need to ensure their customers are informed of the risks and many now routinely contact customers to alert them to the threat of phishing scams and inform them of the legitimate ways they will try to contact them - so they can disregard all other approaches.

Banks are walking a tightrope of customer confusion and brand damage and those are risks they cannot take. Some even fear for the future of ecommerce as a whole.

...and we wouldn't want that...
Quite. So be on your guard and be suspicious of anything which asks for details you wouldn't normally submit via email or asks for them in a way that is new or alien to you and your bank.

0 comments