Image: Chad Baker (computer) and Riko Pictures (hooks), Getty Images
In Brief
- A form of online crime that lures people into giving up personal or corporate information, phishing is a growing security threat that already costs victims billions of dollars every year.
- Because phishing exploits human vulnerabilities, studying the factors that make people fall for phishing scams can improve antiphishing training and technology.
- The combined efforts of law enforcement, computer security experts and computer users are needed to reduce the success of phishing.
Over just a few weeks, I received e-mail messages from several banks warning me that my online banking services were in danger of being deactivated, from eBay telling me that I needed to change my password, from Apple complaining that I had unpaid bills for music downloads, from an airline offering me the opportunity to earn a quick $50 for filling out a survey and from the Red Cross asking me to contribute money to help earthquake victims in China. These messages were all very convincing and looked authentic. Except for the eBay message, however, they were all fraudulent e-mails known as “phish.”
Phish e-mails are constructed by con artists to look like legitimate communications, often from familiar and reputable companies, and usually ask victims to take urgent action to avoid a consequence or receive a reward. The desired response typically involves logging in to a Web site or calling a phone number to provide personal information. Sometimes victims need only click on links or open e-mail attachments for their computers to become infected by malicious software—known as malware—that allows phishers to retrieve the data they want or take control of the victim’s computer to launch future attacks. Although the details of phishing scams can vary, the result is usually the same: thousands of unsuspecting victims give information to criminals who then use it to break in to their accounts and steal their money or identities, or both.
Already a Digital subscriber? Sign-in Now
If your institution has site license access, enter here.
See what we're tweeting about
12 Comments
Add CommentWow, this is scary stuff. In fact, it almost sounds hopeless. I was almost a
Reply | Report Abuse | Link to thisvictim of the work-at-home scammers. Fortunately they made it sound too
good to be true. After I passed on 'purchasing' their work-at-home kit, I saw one of their victims on the news. I love surfing the net, but I desperately want to believe I'm safe when I click on a link. I hope all of the smart techies will be able to educate us. I am more than willing to read and heed any warning that will help me (a non-techie) save myself. Thanks for the help. Please keep it coming.
I would like to propose the following; If a lot of people responded with phony information to phishing requests the phishers would spend all their time trying invalid names, accounts and passwords. Hopefully to the point that it would stop being worth their time. Of course I would first set up a browser with all JavaScript and activeX controls turned off to prevent malware and other infections.
Reply | Report Abuse | Link to thisAs nice as this article is - if the author(s) are truly interested in informing the masses on how to avoid loss due to phishing - the article needs to be severely boiled down to absolute specifics of what users can do to avoid and thwart phishers. Those specifics should be numbered.
Reply | Report Abuse | Link to thisHowiewz, although I'm sure you want to help, I'm afraid you underestimate the talents of the current crop of bad guys.
Reply | Report Abuse | Link to thisSimply clicking on the link in the e-mail may be all they need to attack your computer. It can take you to a web site that has hidden code which will automatically download a malicious program as soon as you click on the page. (You may want to Google, "clickjacking"). They may not even be looking for your personal information at that time. They want control of your computer, instead. When they have control of thousands of computers, they have a, "botnet," which is used in any number of ways to create havok for big profits.
Current malware has moved far beyond doing anything obvious. The writers of the malware want to hide what they are really doing.
By answering their e-mail, even to give false information, you may unwittingly fall into the trap. Plus, you have now told the sender of the e-mail that they have a live person/computer/e-mail address on the other end of their phishing e-mail, rather than a non-existent or out-of-date address.
The only safe thing to do with suspicious e-mail is to delete it. Don't open it. Don't answer it. Just get rid of it.
Also, set your e-mail client to not display the contents of a message in a preview frame; and, turn off HTML in your message viewer, so that you always read your messages in plain text. This will prevent malicious code from running automatically when the e-mail is opened.
Phishing and mal-ware attacks seems to rely on the fact that most people use one email address for everything.
Reply | Report Abuse | Link to thisOne thing that people can do to thwart phishing scams is to use separate email addresses for their vulnerable data accounts.
I use one email address for PayPal, another email address for my bank, another for my investments. No one but those entities has those email addresses. And so far none of those entities has compromised those email accounts. I get no spam to any of those accounts.
The email address I have which gets phishing and spam emails is the one that I give out freely. But because I know that my banks, investments and Paypal do not have my "everyday" email address it's easy to spot phishing emails sent to that address.
This article misses one of the most important techniques to prevent phishing. When I login to e.g., ingdirect.com, it shows me a unique image that I chose. This is a powerful, simple, and cost free deterrent.
Reply | Report Abuse | Link to thisUnfortunately, many sites don't get it yet. I wrote to paypal, asking them to implement something similar. The response I got was completely clueless.
You're not scared enough yet? Well, read this:
Reply | Report Abuse | Link to thishttp://voices.washingtonpost.com/securityfix/2008/12/hackers_hijacked_large_e-bill.html?hpid=sec-tech
yes, lurker is correct, responding to those emails is not worth it. The malware uses the information you give automatically, it takes to aditional effort from them to have failed attempts. Look at how many emails they send out, very few respond, they dont mind additional effort as long as it pays off with just one person. You will be doing nothing but letting the attackers know you are there and that they have to try just a little harder.
Reply | Report Abuse | Link to thisAlways mark sucpicious emails as spam and for god sakes, look for the verisign logo!
nbecker, I like that idea, my bank uses it and it seems like it helps. Only thing is theres only so many pictures to choose from, this helps their servers not have to store a bunch of pictures. I think we need to take it a step further and have custom made pictures, even if its a few squiggles, I know if I made it or not.
A similar technique:
Reply | Report Abuse | Link to thisIf your email is somebody@gmail.com, you will also receive email addressed to somebody+paypal@gmail.com, somebody+yourbank@gmail.com, or somebody+whatever@gmail.com.
First, you can set up filters to flag emails that show up with your "+yourbank" suffix, and have more convidence that it's legit since you only give that email address to your bank.
Second, if you start getting a lot of spam at somebody+blockbuster@gmail.com or somebody+facebook@gmail.com, for example, then you have a good idea where spammers got your email address.
Some forms won't think this is a valid address when you sign up for things, but I always try it first, and it does work the majority of the time. It definitely works with Gmail, but try it with your email provider first to ensure that it works for you before you hand it out.
What I have not seen mentioned here (nor in the SciAm article) is the method that I consider as one of the most effective countermeasures against phishing.
Reply | Report Abuse | Link to thisIt's very simple. It is based on the fact that the phishing site does not have a database that contains valid user names and the corresponding passwords.
When you log in on ANY web-site (be it your local newspaper or your bank account or aything in between), fill in your valid user name succeeded by the WRONG password (I usually type just a few random characters).
If you are on a legitimate site, the site will respond with the notion that your password is incorrect. If you are on a phishing site, there will be no error message, as the phishing website doesn't know any better than that you did fill in your password. Very effective.
Of course it is not 100% robust; some phishing websites will capture your input, then report that your input was in error and then guide you to the real web site. In this case you still would be protected, because they never got your correct passdword, only the fake one you entered first.
Some phishing web-sites however, will always report an error and then let you try again (still on the phishing site). This is rare with today's phishing sites, but not impossible. You could counter this two-ways: 1) Fill in false passwords twice, which will work for phishing sites that give a false password notification only once, or 2) Fill in the correct password the second time (as you would do on a legitimate site) . If 2) still results in an error even when you filled in the correct password, you are on a phishing site. Immediately go to the legitimate site by typing in the correct URL directly from your browser (not by clicking on the link from the email) and change your password. The phishers most likely won't be fast enough to beat you to that.
In this regard, I can recommend you the VeriSign keyfob that PayPal uses when you log in (No, I do not work for them). It is very effective. It is a fob that shows a 6-digit number when you press the button, this number is different every 30 seconds according to a secret algorithm. The algorithm is unique for each fob issued, the particular one that belongs to your account is only known to PayPal.
When you log in to PayPal, you need to extend this 6-digit number to your password. In other words, your passwords automatically changes every 30 seconds. Which makes the password useless for a phisher after 30 seconds. VERY effective. I wish all web services would start using this technique.
Problem with this stuff is the false alarm rate!
Reply | Report Abuse | Link to thisFirefox together with Adblock Plus already contains what is considered state of the art scam detection. But it creates a lot of false alarms and continues to do so even after you tell a site is not a scam.
So, lots of room for improvement here.
nbecker, I don't see how we can expect increased security based on having selected an image. What's to stop the hackers/phishers/whatever from luring us to their copycat site, collecting our username, passing that to the real site, collecting our "security" image from there, passing that to us and then collecting the password we so trustingly provide?
Reply | Report Abuse | Link to this