Drowning in a sea full of Phish

commentary Phishing scams work on an embarrasingly low percentage of users -- but apparently that's enough to keep them profitable.I thought I had most things beaten.
Written by Alex Kidman, Contributor
Drowning in a sea full of Phish
commentary Phishing scams work on an embarrasingly low percentage of users -- but apparently that's enough to keep them profitable.
I thought I had most things beaten. My ever-growing burden of spam -- seemingly a necessity owing to the need to have visible e-mail addresses on most of our Australian Web sites -- had been culled down considerably (thank you, SpamBayes), and as such e-mail was becoming a viable communications medium again. And then, pretty much all at once, the phishing e-mail scams started arriving in a small but virulent flood.

It's annoying -- well, thanks to some quick SpamBayes clicking, not so annoying, as I don't really see them as much any more -- but it still irks me when I see them coming straight in (and straight out again to the Junk e-mail folder) to think of the fact that these kinds of socially engineered scams actually work. According to figures on the Web site of the Anti-Phishing Working Group up to five percent of respondents to phishing scams hand over sensitive information. As a result, they presumably end up rather badly burnt, one way or the other.

If you're reading this thinking that phishing sounds like something that would come out of "The Amorous Adventures of Rex Hunt (Vol 27)", then sit down for a quick lesson in e-mail scamming. Phishing (Password Harvesting Fishing) is a social engineering technique that attempts to fool the end-user into revealing sensitive information (usually financial) by setting up fake Web sites and sending out spam mail that tries to scare users into acting without thinking, revealing their details and thus getting done over.

The earliest scams of these sort were easy enough to spot, as they relied on relatively simple e-mail messages (or sometimes pop-up web messages) that sent users through to fake bank (or other financial institution) Web sites. Things have gotten a mite trickier since then; the scammers have gotten more sophisticated in the way they spoof the sending address and even the Web site URL in order to fool users into thinking they're entering information at a genuine financial site.

If that scares you, don't worry too much. There's some easy stuff to look for -- spelling errors or end Web sites with URLs that seem to bear little relevance to the bank's name or products -- although that's at the lower rung of the scamming ladder. As a general rule of thumb, though, your financial institution is extremely unlikely to ever ask you to re-verify information simply into a Web site. The easiest way to check if something's a scam? Pick up the phone, and call your bank with the details of the e-mail in front of you. Don't call any number given in an e-mail -- look it up yourself from your bank statements. If it's on the level -- and it's highly likely it's not -- then they'll be able to let you know without needing lots of your information -- and if it's dodgy, you'll have ducked a rather nasty bullet.

As to how the scam works; it depends on the scammer, and on what information you give them. Some will simply suck the money straight from your bank account. Others will use your information to order lots of expensive, easily re-sold products from online merchants or auction sites, and others will use the information to engineer other bits of identity theft -- if they can fool someone into thinking that they're you by having bank details or perhaps getting your statement sent to them they can attempt to apply for official ID and the like. All nasty stuff. I've not fallen for a phishing scam myself, but I did have an interesting run-in late last year when somebody stole some physical mail intended for me and attempted to use it to get a passport, based on the fact that they'd nabbed a replacement frequent flyer card. The first I knew about it was when I got a call from the police to see if I had said card. I didn't, but was unaware of the problem, as I've never used the thing anyway -- I tend to quote the number on it without showing it, and board planes regardless. Nine months on, and my bank accounts are still solid as a rock, and I haven't had an interesting visit from the anti-terrorism chaps -- yet.

In the meanwhile, I'm still fighting off a barrage of phishing spam -- for some reason the criminal types who engineer this sort of thing seem to think that I have accounts with (amongst others) Westpac, Bank Of America, Citibank, NAB, St George and the Commonwealth Bank, and so I get spam targeting all of them. Yes, I know, the spam is indiscriminate, but honestly -- if I had that many bank accounts, they'd have no money to suck out of them, having been eaten lock, stock and barrel by bank fees.

I can only presume that my e-mail address has fallen once more into the great engines that lie somewhere grinding out spam e-mails by the millions, and I can only hope that eventually they'll become unprofitable. Sadly, if that five percent of respondents keeps getting fooled, that could be a long time coming.

What do you think? Are phishing scams on the rise? Are they getting more sophisticated, or is that five percent figure just an inevitable fact of human gullibility? Talkback to me below!
Editorial standards