Phishing and Identity Theft
Phishing has emerged as one of the most damaging forms of identity theft, and has proven to be a very effective way to trick millions of users into revealing confidential information that can then be used to steal their identities. Research firm Gartner estimates that around 57 million U.S. Internet users receive phishing e-mails each year, and as many as 1.8 million may have divulged personal information as a result.
Phishing scams usually start as an e-mail from what appears to be a legitimate and well-known company, often a bank or credit card company. In most cases, the e-mail will claim that the company is either verifying or updating account information, or conducting a security exercise, and in order to do so, the company requires you to re-enter the information to keep your account up-to-date.
More often than not, the e-mail includes a veiled threat. For example, if you don't respond immediately, your account will be closed in 24 hours, or something similar. The e-mail will then usually have a link to a bogus website or may even have an HTML form built into it, so you can enter your information without visiting a website. This kind of attack is also known as "brand spoofing," where the e-mail and the website look almost identical to the websites of well-known brands. Spoofed brands have included companies like Bank of America, eBay, CitiBank and PayPal.
According to the Anti Phishing Working Group, a non-profit organization that tracks phishing attacks:
- Between January 2005 and January 2006, more than 190,000 different phishing scams were reported
- January 2006 saw 4 times as many new phishing websites as Jan '05
- In January 2006, 101 brands were reported "hijacked" by phishers"
- January 2006 also saw the highest recorded number of phishing-based keylogger Trojans (184)
- The U.S. is the largest host of phishing websites (36.57%), followed by China (8.98%) and Korea (7.7%)
Phishing scams can use of convincing, but bogus e-mails to attract users to a loaded website. "Loaded" means the website is not only a fake site that's trying to trick users into revealing some confidential information, like a credit card number, but the link to the website is also infected with a worm or virus that adds some extra punch and helps to spread the infected phishing mail to thousands of other users. Security experts call these "blended attacks," where two or more attacks are blended together for maximum impact.
When the first phishing expeditions appeared, they were very easy to spot. For one thing, the e-mails were fairly crude, and the very poor spelling and grammar were usually enough to expose the fraudulent emails. But today the e-mails and websites are much more sophisticated, using realistic graphics, logos, and marketing language you'd expect from a professional company. And, unfortunately, that's going to make these attacks — and the resultant identity theft — increasingly hard to detect.
What we have learned from these kinds of attacks is that identity thieves are constantly adjusting and improving their tactics, with a constant focus on getting into our comfort zone where we trust the party sending us the e-mail because we think we know them. It's just another example of getting inside the minds of victims and luring them into familiar territory where an attempt at identity theft is easiest.
So why does phishing work?
Mainly because of poor consumer education and lack of awareness. According to a study by Harvard University and UC Berkeley called "Why Phishing Works," 90 percent of subjects in the study were unable to pick out a highly effective phishing e-mail when simply judging whether or not it was genuine.
When viewing a spoofed Bank Of the West e-mail with phishing website www.bankofthevvest.com (with a double "v" instead of "w"), a padlock in the content, spoofed VeriSign logo and certificate validation seal, and a pop-up consumer security alert, 91 percent of participants guessed it was legitimate.
When presented with a genuine E*Trade e-mail that directed recipients to a legitimate secure site with a simple, graphic-free design optimized for mobile browsers, 77 percent of participants guessed it to be a fake. And nearly a quarter of participants in the research study didn't look at the address bar, status bar or security indicators on the phishing sites.
Pharming is a term used to describe a type of attack that uses bogus websites with web addresses very similar to legitimate websites. Pharming sites usually lie in wait for unwary users to stumble across them, or mistype a URL or web address and then submit sensitive information in the belief they are on a legitimate website.
Phowning refers to a more sinister and personal form of phishing that uses phone calls, often pre-recorded messages, to trick users into revealing sensitive information. The calls can often purport to come from the IRS or your bank, threatening legal action for unpaid taxes, or from a local court threatening an arrest warrant for failure to appear for jury duty. The scams often use sophisticated interactive voice response systems to sound like they're legitimate.
Spear Phishing is a form of phishing that personally targets victims by using personal information about the user to build trust. This attack can be as simple as using the victim's first name in a phishing e-mail, or using phone callers that already know the victim's home address or employer.
So what can you do about phishing, pharming and phowning scams?
Phishing is probably unique amongst crimes because of one major difference. In order to be successful, a phishing scam requires the victim to be a willing, albeit unwitting, participant. You, the target, need to respond to the phisher's request to hand over your personal information, through an e-mail, a website, or a phone call. If you don't cooperate, the crime can't happen.
- Never provide confidential, personal, or security information in response to any e-mail. If the e-mail claims to be from a financial institution you have an account with, call the institution directly using the customer service number listed on their website.
- Teach all family members to be wary of such e-mails — it only takes one unsuspecting user to open the door to identity theft.
- Be very careful when typing in the URL or web address of important websites, like your bank or credit card company. Many bogus phishing or "pharming" websites lie in wait for users to make the mistake of mistyping a web address and revealing sensitive information to what they think is their bank or ISP.
- Don't reveal any confidential information to phone callers, even if they claim to be from your bank, the IRS or any other organization. No such organization would ever request such information without first proving that they are legitimate, not phishing.