In the next of his weekly series for Cambridge Network members, BS7799 and IT governance expert Alan Calder explains the ABCs of business security and compliance. This week he looks at phishing and pharming.
The Problem
The APWG (‘Anti-Phishing Working Group’) provides the following definitions of these two criminal activities: ‘Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials. Social-engineering schemes use 'spoofed' e-mails to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers. Hijacking brand names of banks, e-retailers and credit card companies, phishers often convince recipients to respond. Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware. Pharming crimeware misdirects users to fraudulent sites or proxy servers, typically through DNS hijacking or poisoning.’
It’s an overly technical definition, but it’s saying that any e-mails from a financial institution that ask you to input any security details into a website anywhere for any reason whatsoever are a BAD IDEA. Between 75 million and 150 million of these e-mails are sent every day.
The Risks
The latest monthly statistics (to end March 2005) show the scale of the problem:
Number of active phishing sites reported in March: 2,870
Average monthly growth rate in phishing sites: 28%
Number of brands hijacked by phishers in March: 78
Spammers, who become increasingly sophisticated at bypassing e-mail perimeter defences, work with phishers to get their requests – and their pharming ‘crimeware’ in front of more and more people and onto more and more computers. Up to 5% of the recipients of phishing e-mails respond, and 19% have clicked on the link in such an e-mail.
And as the spammers, phishers and pharmers all work from beyond Britain’s borders (Most in the US, but also Eastern Europe, Russia and Asia), UK Hi-Tech crime units can’t do much about them.
The Impacts
Individual financial loss through identify theft – which is what phishing and pharming really is – is not nearly as painful as the long, drawn-out process of re-establishing your credit rating with the credit rating agencies. Most people find out that they’ve been the victim of identify theft only after a number of credit cards have gone over-limit and their bank account may also suddenly have gone overdrawn. Yes, the bank and credit card companies may be prepared to make good your losses, but only you can sort out the mess that your credit file will have become.
What do we do about it?
The APWG provides detailed advice (http://www.antiphishing.org/consumer_recs.html) on how to avoid becoming the victim of an attack. The basic advice is: NEVER respond to any e-mail that asks you to provide personal or financial information, however important or worrying it looks. If you feel you have to respond, phone your bank first and ask them what’s going on!
Anything else?
Sign up for an online credit report service – companies like Experian provide an alert service so that you get quick notification if something unusual turns up on your record, which means that you might be able to limit the damage.
Next week: Security procedures
Alan Calder’s company provides businesses with consultancy support and advice on governance and information security. Visit www.itgovernance.co.uk/page.service for services, books and tools, e-mail alan@itgovernance.co.uk or telephone + 44 845 070 1750