Education no longer enough to combat phishing?

Educating users to recognise potential phishing scams may no longer be an effective tool because recent attacks are so sophisticated that fraudulent sites were virtually indistinguishable from the original, according to MessageLabs.

Traditional phishing attacks replicate the Web site of a known brand and try to lure victims to that using spam. In the early days, phishing e-mails and Web sites were relatively simple to spot because they often contained spelling mistakes and were badly designed.

Recently discovered phishing sites were no longer distinguishable from the original, which made it impossible to educate users on how to tell the difference, according to Mark Sunner, CTO of MessageLabs.

"Phishing is just so sophisticated that you can't deal with it with education. How can you tell someone to watch out for something that is perfect?

"The URL looks perfect and the site looks perfect. So even if you were very, very savvy you would have some trouble discerning that something was wrong," Sunner told ZDNet Australia in a phone interview on Tuesday.

"This is a trend that will continue to develop," added Sunner.

In a report published by e-mail security specialist IronPort on Tuesday, the company's senior vice president of marketing Tom Gillis agreed that attacks have never been so sophisticated.

"In 2006, we have seen two important trends working together. Overall threat volumes are increasing, and the level of sophistication is also increasing

"The Web is the new battle front. The malware threats we are seeing coming through the Web gateway are the most sophisticated yet," said Gillis.