|Like everyone else, I find spam annoying, but I also acknowledge that unwanted sales pitches of one kind or another are ubiquitous: I also find billboards, and commercials, and telephone solicitors, and every other kind of time-wasting unsought sales promotion annoying. This is primarily an education problem: Once customers all realize that it makes more sense for them to initiate commercial transactions, starting with research, and realize that they have the power and knowledge to do so to their own advantage, unsolicited sellers of all kinds will have to give up.
Phishing, by contrast, is not annoying, it’s dangerous. It’s not overzealous promotion, it’s crime: fraud and theft. It is also, currently, harder to filter, and becoming more sophisticated. The consequences of allowing your credit information to be stolen by a phisher can be catastrophic — huge financial losses, loss of credit, legal expenses, harassment by collection agencies for the phisher’s debts, the major time commitment required to cancel and re-establish stolen credit lines, wholesale changeover of e-mail addresses and telephone numbers etc. Victims not infrequently end up being charged with criminal acts and even declaring bankruptcy.
Just in case there’s anyone who doesn’t know what phishing is, in its simplest form it is impersonating (called ‘spoofing’) — usually via e-mail — a company you deal with commercially (banks, credit card companies, Amazon, eBay, PayPal, VeriSign and Symantec are favourite targets), and fraudulently enticing you to go to the phisher’s site and enter personal financial information which the phisher then uses to enter into financial transactions for his own benefit, charged to your account. There are several more sophisticated varieties of phishing as well. Sixty percent of phishing is attributed to criminal organizations in the US and China.
With enough familiarity, e-mail users learn that reputable financial and business organizations never solicit such information via e-mail, and delete or even report phishing messages to criminal authorities. But it’s harder and takes longer than deleting spam, for which filters at least can be set up. And for occasional or new users of e-mail these messages, which often threaten cancellation of credit or other penalties if you do not volunteer this personal financial information, can be frightening and intimidating. On the one hand they’re told that supplying your credit card information online to known vendors is common, safe and secure, and on the other they’re told not to divulge any information requested by e-mail even if it appears to come from these same known vendors. If the digital divide weren’t wide enough already, an experience with phishers is enough to make timid newbies throw in the towel entirely on e-mail and e-commerce.
The Anti-Phishing Working Group, which is supported by the most popular impersonation targets, is using 14 different methods to combat the crime. The one that seems to offer the most promise is called e-mail authentication, and involves using methods to verify that the organization sending you an e-mail is indeed who they say they are. These are still in the early stages of development, and not yet ready to deploy to the public.
You should of course never click on the links of phishing sites, even out of curiosity — sometimes just visiting these sites can infect your machine with spyware and other malware. Traditional wisdom when dealing with phishers is to report them by forwarding (as an attachment) the phishing e-mail to anti-phishing authorities, though I confess I get so many phishing messages now this would take up most of my day. If you inadvertently provided credit card, debit card or bank account data to a phisher, you should immediately cancel the credit card or notify your bank about the compromised debit card or account. Microsoft offers some additional steps you can take to reduce the risk and consequences of phishing.
There are some anti-phishing tools out there: Netcraft (be sure to read the tutorial on how to recognize a phishing site using this tool), EarthLink and SpoofStick. If anyone has used any of these (or other) anti-phishing tools and has comments on their value, I’d like to hear from you.
December 21, 2005
Sorry, the comment form is closed at this time.