Going After Phishers

Going After Phishers

Summary: You've no doubt been the target of phishing scams--those e-mails that claim there's some kind of problem with one of your accounts somewhere. When you click through to a legitimate-looking Web site, you're asked for personal information that can then be used by the phishers for various nefarious purposes.

SHARE:
TOPICS: Malware
2

You've no doubt been the target of phishing scams--those e-mails that claim there's some kind of problem with one of your accounts somewhere. When you click through to a legitimate-looking Web site, you're asked for personal information that can then be used by the phishers for various nefarious purposes. There's been plenty of information written to help protect consumers against these attacks, but not much help for companies whose customers are being duped. When your customers are the target of a phishing expedition, your brand suffers and your help desk will be inundated with calls from confused customers.

You may not think you've got a problem; after all, most phishing scams target bank customers. Banks, however are getting a handle on this problem and as they do, phishers will move down the food chain. If you've got a sizable group of online customers, you should plan on getting hit sooner or later.

So, what do you do? The latest Alarmed column in CIO Magazine gives some concrete advice to businesses, based on information from Dave Jevans, the chairman of the Anti-Phishing Working Group. In short, the advice is proactively go after the sites and get their ISPs to shut them down. The typical phishing site stays up for one to three weeks, so anything you can do to shorten that time helps. This is messy business, but it has to be done. Don't wait until your customers are being targeted. Assign someone to make a plan now and then be prepared to put it into action.

Bonus link: Where did the term phishing come from?

Topic: Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • Security as a whole is the issue

    People get caught in phishing scams because they don't understand security. Common sense should tell you not to go to a website and type in personal information unless you can be certain you can trust the website, but most people will never read ZDNet or any other similar forum.

    It's not hard to get a person's confidential information, and a true phishing scam is not even needed. The problem is that if I call myself Jackie2452 at one place, I'll probably do the same thing at amazon.com or at eBay if it's available. I might even use the same password at every site, and many users will. So instead of a full fledged phishing scam, all a scammer need do is get you to go to ANY website where you can sign up for anything. If the site tells you to sign up for free toothpaste, or a free sample of floor wax, the question is whether you would reuse your username and password when you sign up. Once you do, that scammer can go from one site to another, trying each one once and from a different IP address, and start making purchases in your name or harvesting your credit card information in some cases.

    Users need to learn about security in general. They should know when it's safe to give a credit card number, and when it's safe to enter a password. They should know when it's safe to click on a link, and how to tell if a link is really for the site they think it's for. They should understand the basics of selecting a password and how to safeguard it.

    The real problem is getting the user's attention. When the Telecommunications Act of 1996 came out, it had many provisions. Among other things, it negated almost all laws banning TV antennas by local governments or homeowner associations. But by the time it got to the evening news, the message was, "There's PORN on the Internet!" The only way to get people to understand security is to figure out how to link it with porn. Once that's done, people will pay attention.
    wresnick
  • Life would be easier...

    Life would be a whole lot easier if ISPs took phishing seriously. I've shut down a number of phishing scams in the last couple years, either by getting the site brought down directly or by getting the open HTTP e-mail engine taken offline by the (somewhat chastened) owner. I had to jump up and down and scream for nearly three days to get a major ISP (name escapes me for the moment, but I think it was something like "Woohoo") to shut down a page they were hosting that was scamming eBay users. Same ISP three months later, same lack of response.

    On the other hand, whenever I had to shut down a phishing scam that was exploiting a security hole in a corporate web site (typically the HTTP e-mail engine mentioned above), I got almost immediate response.

    It's not just phishing scams. I've given up trying to stop Nigerian scams using free e-mail accounts because it takes far too long to get someone from the e-mail service to shut down the account. When they do respond, it's usually without having clearly read my e-mail or the attached scam, and I have to go back with more details explaining that it doesn't matter where the e-mail originated, what matters is where the writer wants the replies sent.
    Kevin Dean