The Phishing Menace

Like everyone else, I find spam annoying, but I also acknowledge that unwanted sales pitches of one kind or another are ubiquitous: I also find billboards, and commercials, and telephone solicitors, and every other kind of time-wasting unsought sales promotion annoying. This is primarily an education problem: Once customers all realize that it makes more sense for them to initiate commercial transactions, starting with research, and realize that they have the power and knowledge to do so to their own advantage, unsolicited sellers of all kinds will have to give up.

Phishing, by contrast, is not annoying, it’s dangerous. It’s not overzealous promotion, it’s crime: fraud and theft. It is also, currently, harder to filter, and becoming more sophisticated. The consequences of allowing your credit information to be stolen by a phisher can be catastrophic — huge financial losses, loss of credit, legal expenses, harassment by collection agencies for the phisher’s debts, the major time commitment required to cancel and re-establish stolen credit lines, wholesale changeover of e-mail addresses and telephone numbers etc. Victims not infrequently end up being charged with criminal acts and even declaring bankruptcy.

Just in case there’s anyone who doesn’t know what phishing is, in its simplest form it is impersonating (called ‘spoofing’) — usually via e-mail — a company you deal with commercially (banks, credit card companies, Amazon, eBay, PayPal, VeriSign and Symantec are favourite targets), and fraudulently enticing you to go to the phisher’s site and enter personal financial information which the phisher then uses to enter into financial transactions for his own benefit, charged to your account. There are several more sophisticated varieties of phishing as well. Sixty percent of phishing is attributed to criminal organizations in the US and China.

With enough familiarity, e-mail users learn that reputable financial and business organizations never solicit such information via e-mail, and delete or even report phishing messages to criminal authorities. But it’s harder and takes longer than deleting spam, for which filters at least can be set up. And for occasional or new users of e-mail these messages, which often threaten cancellation of credit or other penalties if you do not volunteer this personal financial information, can be frightening and intimidating. On the one hand they’re told that supplying your credit card information online to known vendors is common, safe and secure, and on the other they’re told not to divulge any information requested by e-mail even if it appears to come from these same known vendors. If the digital divide weren’t wide enough already, an experience with phishers is enough to make timid newbies throw in the towel entirely on e-mail and e-commerce.

The Anti-Phishing Working Group, which is supported by the most popular impersonation targets, is using 14 different methods to combat the crime. The one that seems to offer the most promise is called e-mail authentication, and involves using methods to verify that the organization sending you an e-mail is indeed who they say they are. These are still in the early stages of development, and not yet ready to deploy to the public.

You should of course never click on the links of phishing sites, even out of curiosity — sometimes just visiting these sites can infect your machine with spyware and other malware. Traditional wisdom when dealing with phishers is to report them by forwarding (as an attachment) the phishing e-mail to anti-phishing authorities, though I confess I get so many phishing messages now this would take up most of my day. If you inadvertently provided credit card, debit card or bank account data to a phisher, you should immediately cancel the credit card or notify your bank about the compromised debit card or account. Microsoft offers some additional steps you can take to reduce the risk and consequences of phishing.

There are some anti-phishing tools out there: Netcraft (be sure to read the tutorial on how to recognize a phishing site using this tool), EarthLink and SpoofStick. If anyone has used any of these (or other) anti-phishing tools and has comments on their value, I’d like to hear from you.

This entry was posted in Using Weblogs and Technology. Bookmark the permalink.

3 Responses to The Phishing Menace

  1. preston says:

    What I used to do was had two separate e-mail addresses: one for registering for websites, and one for communication with friends and family. I noticed that this really worked, as the spam and phishing e-mails were all sent to the registering e-mail address, and my actual e-mail address was unaffected.

  2. Mailicous email is a huge problem, and there are lots of tools to prevent it and manage it. They include Bayesian learning filters (Spamassassin), which learn what your legitimate email looks like, and what illegitimate email looks like, and scores each message on a ‘spamminess’ scale; Sender Policy Framwork (SPF), the authentication method you mentioned in your post; greylisting which slows down the receipt of email from new senders allowing the realtime blacklists to catch up; sub-email addresses, which allow you to create a uniques address for each website or correspondant you have ( and both get sent to so you know if they sold your email address); whitelisting; blacklisting; and more.But, that’s a lot of bits of software to set up and maintain if you’re running your own mail server. So, if you’re running a Linux variant, we’re distributing a free-for-non-commercial-use email server called vPostmaster which is easy to set up and install. You can download it from The documentation discusses all of the techniques for email filtering in quite a bit of detail.

  3. Just what I have been looking for.. Good Resource.

Comments are closed.