Phishers turn their aim on corporate networks

Organised crime gangs plan sophisticated attacks on businesses

Organised crime gangs are developing phishing attacks against corporate networks in an attempt to steal passwords and sensitive information.

Some fraudulent emails pretend to be messages from a company's network administrator asking its users to update their passwords. But unwary users clicking on the link in the fake email may be giving their login details to fraudsters, who are then free to use them to access business systems.

And Anne Bonaparte, chief executive of email security company MailFrontier, said that gangs are using sophisticated directory harvest attacks to identify new employees in businesses.

The phishers then pose as payroll providers and try to use the information they have harvested to get yet more personal details from a company's HR department.

"This is a very sophisticated corporate phish – we are beginning to collect some very serious ones. As these phishers get more sophisticated this is the way it is going. There is a lot of money to be had here," said Bonaparte.

Organised crime is targeting businesses rather than consumers because the rewards can be greater.

"There's no shortage of bad guys trying to get in," she said. "They are very opportunistic, because the motive is money."

Bonaparte said people now find it hard to tell legitimate and spoof email apart.

Of the 25,000 people in the UK that have taken MailFrontier's phishing test, 18 per cent incorrectly identified phishing email as legitimate, and 46 per cent identified legitimate email as phishing spam.

"There is a danger that people are pulling away from taking action by email. People are confused and more education is required," she added.

Elizabeth Robertson, solicitor at law firm Jones Day said that phishing is a new form of old crimes: "They are sophisticated frauds, thefts and embezzlements," she said. But because fraud is tremendously difficult to stand up in court, one way to bring the law to bear on phishers may be to use the Data Protection Act over their misuse of personal information – in the same way that tax law was the easiest way to bring Al Capone to justice, she said.

Jeremy Beale, head of the e-business group at the CBI said that phishing is a serious issue for business: "Spam was a pain, but it didn't really hit the bottom line – phishing really does go to your bottom line. Companies are dependent on the internet so pulling the plug is not really an option."