High reward for minimal effort fuels expansion of sophisticated ‘phishing’Published on 17 Jul 2007
[Johannesburg, 17 July 2007] – Phishing attacks are being carried out with increasing sophistication and frequency because the rewards are great for comparatively little effort.
This trend will continue, unless awareness levels on how to combat electronic scamming are raised significantly.
“Education is key to beating the phishing menace, bearing in mind that already, a Russian scam syndicate has released phishing toolkits for sale on the Web so would-be scammers don’t even need to possess the know-how,” says Mike Wright, CEO of international electronic secure e-mail and messaging specialist Striata.
“Most of the phishing scams now directed at South Africa have been coming from the ranks of the old 419 letter scammers, operating mostly out of Nigeria, Ghana and other West African countries. They’re now going the phishing route because most people are wise to the 419 scam, thanks to a general raised awareness.
“People need to be educated about phishing scams. As soon as education and awareness levels are raised, phishing scam success levels will decline sharply.”
Wright points out that a Google search on phishing will bring up about 18 400 references on the Internet, whereas the 419 scam will produce more than 208 000 references. “So much information was made available on the 419 scam that people soon got wise to it. We need that same educational process to take place as quickly as possible with phishing.”
Gartner research shows some disturbing trends, according to Wright. It estimates that 3.5 million Americans gave personal information to phishers in 2006 – almost a 100% increase on 2005 – and financial losses from phishing totalled US$2.8 billion (more than R20 billion). The average loss per scam was about R9 000, and only half of the people scammed get their money back.
“Against statistics like this, the educational aspect has to be supported by ongoing work on e-mail origin authentication methods, which are a primary defence against phishing, and other measures, such as asking ISPs to filter out any e-mail purporting to come from local banks, when it actually originates from outside South Africa.”
Banks are already implementing the SPF (sender policy framework) process that focuses on combating forgery of the “from address” by requiring domain owners to publish their mail server settings as an SPF record in their DNS (domain name servers). This allows receiving e-mail servers to check if the e-mail is coming from a server authorized to send e-mail for that specific domain, and if it doesn’t, to discard it.
“The digital signature on all outbound e-mail is another method which enables the recipient to actively check the authenticity of the source of any e-mail, simply by clicking on the red rosette in the mail. Into the future, the widespread implementation of DKIM (domain keys identified mail) will further assure the security and authenticity of the originator.
“But the critical platform for all these combative measures remains education of consumers on phishing.” Wright also urges people who receive suspicious e-mails to contact their bank’s call center to report it, and to also forward the suspect e-mail to firstname.lastname@example.org, where it can be evaluated. “Being able to see what is being sent randomly to intended victims out there helps us to further the anti-phishing education process and refine methods of prevention.”