Tackling Phishing
by Rebecca Wetzel
Published February 2005; Posted July 2005

 

Abstract:

 

“Technology is,” as security expert Chuck Wade of Interisle Group said, “the rising tide that lifts all ships—including pirate ships,” and in this case phishing boats. Phishing is here to stay.

 

This 21st century fraud combines deception (aka social engineering), impersonation, and automation to steal authentication credentials such as passwords and account numbers from individuals over the Internet, and uses this information for ill gain. You’ve doubtless seen emails purporting to be from a credit card company or bank, which actually are ploys to steal account information. Initially these emails were easy to spot because they contained typos and other telltale signs, but now even savvy users can be duped, and fraudsters are expanding beyond email, to pounce via the Web, instant messaging, chat rooms, interactive games and malware like keyboard logging programs that capture passwords entered into legitimate sites. Although fending off phishing is a challenge, countermeasures are available, with more on the way.

 

Phishing costs victims and financial institutions money and time. Victims must correct credit records and repair other phishing-related damage, while financial institutions must absorb customer losses, as well as costs from issuing new credit cards, answering calls and shutting down fraudulent websites.

 

For financial institutions, of even graver concern than direct costs is the erosion of trust in online communications and transactions. Suspicion of legitimate online interactions between customers and their financial institutions is driving consumers from online banking to more expensive and labor-intensive channels such as telephone call centers or “bricks and mortar” branch offices.

 

Estimated losses due to phishing vary. Gartner puts total U.S. phishing-related losses during 2003 at some $1.2 billion, whereas a study by the Ponemon Institute estimates total consumer losses as of September 2004 at $500 million per year, and a study by Financial Insights expects 2004 losses to tally as high as $400 million.

 

The fact that the phishing attack life cycle consists of many phases, each encompassing a diverse and changeable set of activities, makes phishing a kaleidoscopic problem for which no single solution can suffice. Multiple solutions are called for, and the earlier in the life cycle an attack can be countered, the better the outcome for targeted victims and financial institutions.

 

It is good news, therefore, that a flurry of entrepreneurial activity is currently focused on developing a broad spectrum of nostrums to apply to the phishing problem early in the attack life cycle. Among the technologies promising some immediate relief are:

 

bullet

Better mutual authentication

bullet

Spam filtering

bullet

Detecting infringed domain names

bullet

Alerting consumers when they are being directed to fake websites

 

Phishing is destined to become a never-ending cat-and-mouse game, in which today’s solutions may not work as well tomorrow. Solution providers and financial institutions must pedal hard to keep up. Because so much is at stake, counter-phishing will continue to attract money and innovation, and vendors will increasingly be called upon to offer integrated solutions that address multiple facets of this complex problem.

 

About the author:

Rebecca Wetzel is an Internet industry analyst, consultant and writer. She is president of Wetzel Consulting LLC, and an associate with NetForecast, an Internet technology and market analysis firm, as well as technology consulting firm Interisle Group.

 

bullet

Access paper
bullet

Approx. 210 kB

bullet

For help with .pdf file downloads, please check out the help topic.

bullet

Return to Business Communications Review Gold Sponsor Archives

bullet

Return to Security Webtorials menu


This article is reproduced by special arrangement with our partner, Business Communications Review.

 

Please note: By downloading this information, you acknowledge that the sponsor(s) of this information may contact you, providing that they give you the option of opting out of further communications from them concerning this information.  Also, by your downloading this information, you agree that the information is for your personal use only and that this information may not be retransmitted to others or reposted on another web site.  Please encourage colleagues to download their own copy after registering at http://www.webtorials.com/reg/.