The computer industry loves making up clever words to describe technology developments that usually obscure the meaning of something and ‘phishing’ is a good example.
A better term might be simply ‘email fishing’ or ‘baited email’ which would make its meaning more readily accessible because that’s what phishing is; the practice of sending emails designed to hook you.
In all cases the purpose of the messages is to fool the person receiving the email into entering personal details, usually their address and date of birth and financial account information, that is then used by online criminals to steal funds from the person’s bank account or to apply for other services using the person’s stolen identity details.
Often these emails pretend to be messages that you should not ignore, from a bank, tax office, online service, a delivery company such as Federal Express,. Sometimes they may even be an online dating agency, or in the case of the Nigerian 419 gang emails they are messages that claim that you could profit from a large fortune…
The emails variously inform the recipient that they have a package, that a service such as Paypal wishes to make changes to their account, that they must supply some information to the tax office, that an attempt has been made to compromise an online account or that there is a need to update bank details.
The messages contain a link that you are asked to click on so that you can sort this issue out. If you do click on the link you are taken to a web site that is often a faithful copy of the service that you would expect to see if the message were genuine.
A secondary term known as ‘whaling’ or ‘spear-phishing’ has also come into existence since 2007; this practice describes the targeting of a high-value individual who may be either rich themselves, or have a high senior position in an organisation like a financial institution or company.
The criminals do their homework on these individuals, finding out the names of friends and family and their personal interests and then send them emails that either pretend to be from someone they know or relate to one of their interests. When the email is opened it will normally seek to install a key logger onto the victim’s machine. This is intended to steal password access to bank accounts, or remote access details to a company network.
As has been mentioned, in both cases the purpose of the exercise is to steal personal information and passwords as these often will provide access to a range of services and accounts controlled by an individual and can also be used as a means to approach other individuals by masquerading as a friend, work colleague or acquaintance and gain their trust.
It is a trend that once again shows how cyber criminals are consistently ahead of business in recognising technology trends. Having been the first to discover how to make money from the web, they have quickly demonstrated a greater awareness of the value of information and are now moving onto the next technology trend, exploiting the value of identity.
As is the case with leading technologists, the criminals have realised that the basis of all internet communications is trust – and that identity is the key to establishing that trust.
For this reason phishing represents a tangential threat to SMEs as it can be the means by which personal passwords are stolen. These can then in turn give access to work accounts if the firm has a lax password policy and can also allow criminals to build the basics of an identity. This can then be used to steal other details from office staff as part of a practice known as ‘social engineering’.
In social engineering a person will ring an office pretending to be a friend or an acquaintance, and quote personal information about a person they are trying to find details on. The personal information is given in order to build trust from the person they are talking to; once trust is established the caller can glean the extra information they are looking for.
The exact losses as a result of phishing are difficult to gauge because of under-reporting but according to the UK banking body the Payments Council the amount the country loses from web banking fraud—mostly from phishing—almost doubled to GB£23.2m in 2005, from £12.2m in 2004, while 1 in 20 computer users claimed to have lost out to phishing in 2005.
The stance adopted by the Payments Council is that ‘customers must also take sensible precautions … so that they are not vulnerable to the criminal’.
This is one of the best reasons for not responding to to unsolicited email.
Phishing – how not to be caught out
1. Many of those who fall victim to phishing do not like to report it because they feel foolish and gullible. Phishing is indeed ridiculously easy to avoid. If you are worried simply take control. Search online for the name of the organisation that has contacted and ring them.
2. When you open an account, or decide to use an online service, check with your bank whether they send out unsolicited emails and, if they do, what verification methods they use.
3. Do not click on a link in an unsolicited email that says that it will take you a site. If you want to go to the website then use a search engine to find it. Then make a note of the web address for future reference.
4. Always, always check the web address or URL at the top of the web page