Phishing is the name given to a type of Internet-based identity fraud. Criminals are targeting both consumers and businesses to trick them into giving out confidential bank details. A surge in phishing, in the first half of 2006, has produced a sharp increase in the amount of money being lost to online banking fraud. UK banks reported a worrying 55% increase in losses from fraudulent online transactions for the first half of 2006 compared to the same period in 2005. The losses were up from £14m to £22.5m, according to UK trade association for payments and payment services, APACS.*
The phishing scam involves the criminal sending out an email to thousands, or sometimes hundreds of thousands, of users effectively asking them to give him their bank details. A handful of users fill in the criminal's form, which is carefully constructed to look like the bank's own website. The criminal then uses the information he's captured to empty the victim's bank accounts.
In this article, we're going to look at how the scam works and how to avoid becoming a victim.
How phishing works
Nearly all Internet users will have seen a phishing scam at some point; there were more than 3,600 separate scams in October** alone. Most of these scams were targeted at the users of online banking, however, occasionally a scam is seen trying to capture other information, such as a user's eBay® or PayPal® credentials.
The phishing scam has three main steps:
- Set up a fake website or a way of collecting the necessary information;
- Send lots of emails asking people to connect to the fake site;
- Steal the money.
Let's say the criminal decides to attack customers of an online bank. The criminal needs to set up a website that looks as much like the bank's as possible. If the fake website looks convincing enough, more people will hand over their details.
Stealing the graphics from the real site is an easy way to start; the criminal can also link from his fake website back to the bank's to give the impression of a complete and fully functional site. For some users, this will be enough to convince them the site belongs to their bank. Research shows that around 20%*** of users only reassure themselves as to the legitimacy of the site using the content displayed to them in the main window of the browser.
The criminal will use other techniques to try and mislead the remaining 80% of users, who will use more advanced techniques to determine the authenticity of the website they are connecting to. Additional effort on the part of the criminal is likely to pay off though. While more advanced users may check the URL and the padlock that appears at the bottom of the screen, many have still been fooled by more subtle differences. The difference between the real URL 'www.bankofthewest.com' and the fake URL 'www.bankofthevvest.com' fooled 90%*** of users tested.
Before the next stage, the criminal needs at least one server to host his fake mini websites. These mini sites are usually hosted on multiple hacked computers and are far more difficult to detect than in previous years when a phisher just had one website and users would buy and install software toolbars to block known phishing sites.
The money to be made from these scams, however, drives innovation within the criminal fraternity. A variation on the technique, dubbed Rockphishing, uses a network of hacked PCs; the URL in the phishing emails is then regularly changed to point to the next PC.
The hacked PCs, usually just home computers on the end of DSL connections, are configured by the criminal to route the user's information back to the central phishing website. This more advanced technique makes it far harder for the website to be blocked effectively.
Spamming potential victims
Once the website has been configured, the attacker needs to send out the bait. This usually takes the form of an email, although there have been scams reported involving telephone calls. The email needs to look convincing; it will need a plausible sounding reason for getting any of the bank's customers to put their details onto the website and it will need to be sent to as many people as possible for the maximum return on investment for the criminal.
Sending bulk emails is something these criminals are well practiced at. However, phishing runs are often smaller than regular spam runs, and stay below the radar of traditional anti-spam solutions. Many anti-spam solutions are not particularly effective at blocking phishing emails.
Money laundering
From time to time you may see an advert in your email or on Internet job websites offering "easy money". Some of these adverts are actually placed by criminals recruiting gullible, needy or simply unscrupulous people (mules) to help them launder the proceeds from the phishing scam.
Here's a typical advert from a fraudster trying to recruit mules:
"All you need is internet, you have to be adult and you will need to have your bank account in order for us to pay you money. This job can be called "bank agent-courrier". If interested and want to see more information, you are welcome to visit our webpage at: http://www.xxx.com
You don't need to have any experience or any education in order to work with us. Here are all the requirements:
- You are adult.
- You need to be available between 9 am - 1 pm on your phone.
- You need to have a bank account so we can pay you.
Go to xxx.com simply click on "Register" and make registration on our website. Please consider this offer as a serious business, and you are willing to work with us. Job is very easy, so please be serious about it. We guarantee high payouts for you."
The victim's money will be transferred electronically to the mule's account. The mule will then launder it by withdrawing it as cash, minus commission, and transferring it out of the country. The transfer is usually done using an international money transfer agency. The final destination of the money is then extremely difficult to trace, although the mule isn't, as he will have to have a live bank account in order to receive the money.
Getting off the hook
Software that blocks known phishing websites' URLs is becoming more widely available and increasingly bundled with toolbars you can download. However, as criminals try to work around these URL-blocking filters, it is advisable to look at adding another layer of security.
Filtering the invitations by criminals to visit their website is another effective means of protecting yourself. THUS is the first UK service provider to announce a free anti-phishing service, available with many of its Internet access products. Emails going to users of entry-level and mid-range Demon dial-up and broadband packages will no longer receive the invitation to visit the phishing site in the first place, with the added bonus of users not wasting their time reviewing and deleting phishing emails.
Both businesses and consumers need to be aware of the threats posed by phishing and the potential outcome, in terms of time and money, of falling prey to these criminals if proper steps are not taken to protect themselves.
* Source: http://www.apacs.org.uk/media_centre/press/06_07_11.html
** Source: www.phishtank.com/stats.php
*** Source: Why Phishing Works http://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf