Going phishing: How to avoid getting hooked
December 4, 2009
In the virtual world many cyberspace criminals go phishing to bait unsuspecting individuals and firms. Their catch is becoming far less lucrative, however, thanks to a better understanding of how to avoid being hooked. Now, new legislation may help make the pastime even less appealing.
On the surface, phishing is simply an e-mail, but a surprisingly deceptive one. Designed to appear as if they have been sent by reputable organizations, frequently financial institutions, the intent of this spam is to get the recipient to reveal sensitive information such as user names, passwords, network login information, account numbers and credit card details.
"Typically, phishing attacks will direct the e-mail recipient to a website designed to mimic a target organization's own visual identity and to harvest the user's personal information, often leaving the victim unaware of the attack," said Tony Turco, an associate with Blake, Cassels & Graydon LLP in Toronto.
"Obtaining this type of personal data is attractive," he noted, "because it allows an attacker to impersonate their victims and make fraudulent transactions or access otherwise secure networks."
The haul can be highly profitable for the scammers - and very costly for those caught in the net. "It can amount to not only a significant loss of money for the victim but also the loss of time as victims must work to restore their identity, credit and financial well-being once they discover they have fallen victim to a phishing scam," said Jason Howg, a partner with Borden Ladner Gervais LLP in Calgary.
"The challenge for lawyers," he added, "is that it is tough to advise individuals on how to avoid a phishing scam, or any other type of related fraud, other than to reiterate the usual precautions applicable to avoiding fraud and remind individuals to vigilantly protect their sensitive information at all times."
The advice is paying off, at least for now. According to a new report from IBM, phishing has decreased dramatically over the past year. The report found that the number of phishing e-mails as a proportion of total spam fell in the first six months of this year to 0.1 percent. In the same period last year, the figure stood at between 0.2 and 0.8 percent.
In the first half of 2009, 66 percent of phishing was targeted at the financial industry, down from 90 percent in 2008. Online payment targets made up 31 percent of this.
"My sense is that [the decline] is the result of greater awareness on the part of the public. If you get seven e-mails a day saying there is a problem with your bank account, [it's suspicious]," noted David Fraser, an associate with McInnes Cooper in Halifax.
As individuals and firms get wiser, the scammers get more unscrupulous. IBM's X-Force 2009 Mid-Year Trend and Risk Report, for example, noted that analysts believe that what are known as banking Trojans are taking the place of phishing attacks geared toward financial targets. There is also something new in the online ocean. It's called spear phishing.
"This is targeted phishing," said Fraser, noting that scammers trawl through social media sites like Facebook, blogs and other pages overflowing with personal information to better know their intended victim.
"You're not using a shotgun approach," he said. "You can guess more accurately about things [individuals] might respond to."
Indeed, said Howg, "the increased popularity of social networking sites suggests that phishing scams may have access to a new medium which would likely increase the number of scam attempts."
When someone appears to know an individual, that individual may be more likely to respond. Or not. It's difficult to tell as hard numbers are hard to come by. The lack of reporting may reflect personal embarrassment or institutional reluctance to step forward, said Fraser, who is chair of McInnes Cooper's Privacy Practice Group.
Here's where that advice from lawyers can help. Again. "A client should be wary of any e-mail with requests for personal information," stressed Turco. "Also, a client should ask if it is normal or routine to be receiving this type of e-mail. For example, does a client's bank even have his or her e-mail address?"
Turco also warns that clients should not use links in an e-mail to get to any website if there is the slightest hint that the message might not be authentic or they don't recognize the sender's address. "[They] should consider calling the organization from whom the message purports to originate to determine if it is legitimate."
They should also understand the reality in which banks and insurance companies operate. The fact is that they rarely send e-mails to clients and certainly not e-mails that request sensitive information. "Banks and insurance companies are held to a high standard when it comes to the protection of personal information and will address any account issues or privacy concerns in the most confidential manner possible," said Howg. "Clients should, therefore, assume that any unsolicited communication coming from a bank or insurance company which requests sensitive information is likely fraudulent.
"[They] should also be advised to keep their anti-virus and anti-spyware software up to date and learn how to check e-mail properties to discover the true sender of an e-mail," he added.
Then lawyers need to take their own advice. "There are scams that particularly target lawyers," noted Fraser, who has received phony e-mails alleging to be from clients.
Even greater threats are coming in the form of cloud computing, which allows users to access technology and applications on the Internet with knowing who is necessarily providing the service. "The increasing movement of business - and lawyers - toward cloud computing may be expected to increase the potential dangers to lawyers of phishing attacks as more due diligence rooms and law practice solutions become cloud-based," said Turco.
The federal government is hoping to curtail some of the enthusiasm and creativity of the scammers with its proposed Electronic Commerce Protection Act. This bill would allow businesses and consumers to take civil action against anyone who violates it.
The Canadian Radio-television and Telecommunications Commission, the Competition Bureau and the Office of the Privacy Commissioner will also be given the power to share information and evidence with their counterparts in other countries who enforce similar laws internationally, so that violators beyond Canada's borders cannot use this country as a spam safe haven. Offenders could be hit with financial penalties of up to $1 million for individuals and $10 million for all others.
It may actually prove to be enough of a stick to convince many scammers it's time to give up phishing altogether.