Tell me what you think, share what you know… In large part, I help catch bad guys for a living. So I have my own perspective and base of experience, but please share yours.
You may already be familiar with the term “phishing” and possibly you have a good idea of what it means. If you’re not familiar with the term, you should be. Essentially, bad guys set up fake “phishing” Web sites, typically by copying an online banking or other e-commerce site. The bad guys then send out emails or use other means to try to get you to visit the fraudulent Web site they’ve set up, in hopes you’ll think it’s legitimate and “update.” Phishing – your banking or other private information there. In reality you’re not communicating with the actual bank or e-commerce company at all, and you’re not really updating anything – rather, you are providing confidential identity and financial information to cyber-criminals. The bad guys then use that information to steal money, defraud you and others, and to create a new identity or leverage yours for their own gain. They’re good at what they do, and the fact of the matter is, it works well enough for those who are the best in their “industry” (and it is its own micro-industry, as we’ll discuss) to be motivated to make a career of it.
The general technique of convincing you via trickery to give up your private and sensitive information is called “social engineering.” Bad guys act in ways that cause you think you’re communicating with a legitimate business, but in reality you’re being defrauded of information and – in turn – your financial and identity assets. More recently even myspace.com and similar sites have been faked, so we know these criminals are creative and go after us where we live. Whether it’s a phone call from someone who sounds like a legitimate business person or a Web site that looks like it’s the real thing, it’s all social engineering – tricking you into believing you’re communicating information to a legitimate person or business when you’re not.
You’ve likely seen emails show up in your in-box that pretend to be from ABC Bank or XYZ Credit Union. Beware any email that request information from you. The emails typically say something has happened to your account or that they’re verifying information, and you need to update your information by clicking a link to go to the bank’s Web site. But those emails are fakes, and so are the sites that load when you click the link. They’re sent (well, spammed really) to anywhere from a few thousand to millions of people at once. Even when only a very small percentage of victims actually take the bait (hence the term phishing, eh?), the bad guys win and come out ahead – big time.
Unfortunately, people do take the bait. I see it every single day in my work. Just the other day I dealt with a situation in which someone who provided their information to a phishing site fraudster was ripped off for $19,000. We’re talking about serious stuff here… Now, when you lose money it’s sometimes recoverable (but not always – you can sometimes be held responsible for giving away security secrets, after all). But if someone steals your private identifying information – things like driver’s license numbers, dates of birth, social security numbers and the like – it’s bad news. You’re in trouble. Recovering from a stolen identity can be nearly – and oftentimes completely – impossible. You can get a couple thousand dollars back if you get tricked into giving up a password, but you can’t take back your social security number once someone knows it.
You get the picture.
So, phishing is when someone sends an email and tries to get you to provide your secret information on a Web site that looks like a legitimate one, but which is really just a fake copy that some bad guy controls. A lot like walking into what you think is your favorite coffee chain and walking out with a Strychnine latte, really. And on top of that, you paid the bad guy who you thought was your friendly barista $5 for it – and left a tip.
We’ve covered some of the basics of phishing fraud – just the first thin layer of the problem, actually. Over the course of some future posts, we’ll dig a bit deeper into the details of what makes up a phishing campaign and what can be done about it. We’ll also discuss pharming, spear-phishing and other cute terms that start with “ph” but which are really just about the farthest thing from cute you can imagine.
There are solid reasons for this madness that plagues the financial service and e-commerce industries. But truly understanding the problem means more than just knowing what phishing emails look like and avoiding fake sites. The fact that the sites are even there in the first place, that the email actually reaches your in-box, that you can’t tell a fake site from the real one – all of these things are problems in and of themselves. To truly prevent the problem – and let’s face it, prevention is the golden key here – we need to know and understand much, much more.
For instance, do you know why certain banks, credit unions and online retailers are targeted over others? Here’s a hint: It’s not always about how many customers they have to target or how big a name the bank is, although that can be a factor. Many of the biggest targets are credit unions with just a few thousand customers. And do you know what the phishers actually do with the information they fraudulently trick you into providing?
Do you have any idea who the bad guys are?
That’s a taste of what we’ll be discussing here over the next few weeks. I’ll publish some of my thoughts on these topics and more. Not the secret stuff that lets us catch them, but the information consumers and institutions can use to help combat the problem. It’s an opportunity to learn and share information. If you have ideas, thoughts or comments about the phishing problem, or online fraud in general, please leave a comment on this entry, or write about it on your own blog, or alternatively you can email me (but please use the comments if it’s safe and reasonable to do so in order to provide the benefit to others – I tend to get a lot of emails that would be much better from a community standpoint if they were posted instead as comments). I’ll leverage my own thoughts as well as the thoughts of others like you to help build parts of the future discussion. With hat tips all along the way, of course.