Phishing is an Internet scam where official-looking e-mails attempt to fool users into disclosing online passwords, user names and other personal information. Victims are usually persuaded to click on a link in an email that directs them to a doctored version of an organisation's Web site.
It is estimated that up to 5 percent of phishing e-mails persuade users to perform an action, such as clicking on a link, that could result in credit card fraud, identity theft or some other financial loss.
On Monday, the Anti-Phishing Working Group, which was formed last year to share information about phishing attacks targeting the financial sector, published its Phishing Attack Trends Report for April 2004 and revealed that attacks had increased by 180 percent since March and 4,000 percent since December, with an average monthly increase of 75 percent.
Dave Jevans, chairman of the Anti-Phishing Working Group said that hackers, identity thieves and virus writers were collaborating to produce ever more sophisticated attacks. Jevans said that in April his organisation discovered a new attack that is able to modify a browser's address bar to display an incorrect Web site address. This makes it more likely that even sophisticated users could be fooled into interacting with a fraudulent Web site.
"These attacks are increasing and becoming much more sophisticated -- to the point of being literally indistinguishable from legitimate e-mail, even for technically savvy recipients," said Jevans.
James Kay, technical director at e-mail-security firm Blackspider, said that phishing is fundamentally a spam problem so it can be addressed by analysing the contents of incoming messages and recognising certain patterns and peculiarities.
"When the filtering technology sees a Web address where the displayed link is completely different to the actual link, it is an indicator. These types of behaviours are can be coded into standard spam-detection tools," said Kay.
Kay said that he expects the volume of phishing attacks to continue growing. Until recently, he said, the majority of phishing attacks were attempts to obtain account details for e-commerce sites but now the focus has shifted to financial institutions. This was illustrated by the Anti-Phishing Working Group's report, which found that eBay has been superseded by Citibank as the company targeted most often by phishing scams.
"Ordering a bunch of books from Amazon is good but getting a load of money deposited into your Bulgarian bank account is far more interesting," Kay said.
In the last month I have been a keen admirer of Phishing scams and how people have suggested it be stopped
Quietly I have a fair amount of anger building up on the ridiculous notions that have been offered to eliminate this crazy phenomenon.
One suggested that it was an issue with email clients and Web Browsers on how they deceptively displays content of these Phishing scams to the user - so the programmers of these applications are ultimately responsible. Another suggested that it was a Webcontent filtering problem where ISP's and companies that supply http access - so ISP's were ultimately responsible for web content. And now the suggestion is with the content within the email that should be filtered by ISPs and email providers - so now its becoming a 'SPAM' problem.
Take for granted that scams and fraud will always be around, take for granted that people's access to these scams electronically or via traditional means will always be available, what then is the solution?
Its the concern of the organisations that offer a secure service to financial services that need to enforce an appropriate means of security. Identity management, authentication and authorisation is the answer.
If the banks were to invest a small percentage of their profits in something that minimises that risk, content filtering no longer becomes an issue.