Phishing is a form of social engineering (a general term that describes gaining advantage through the use of deceptive manipulation) in which a victim is contacted by a person or group masquerading as a legitimate entity to obtain personal information. Victims are typically contacted via electronic communication by an assumed trustworthy or known source and lured into disclosing personal information directly or by clicking a link that redirects users to bogus sites that captures information or installs malicious software. This has been a growing problem that is estimated to have cost more than $687 million in the first half of 2012 alone.
The term phishing is derived from an earlier form of hacking, which is a general term describing the practice of modifying a piece of equipment from its original intended use or purpose. Hackers in the 1960s and 1970s manipulated telephone systems to obtain illegal free calls, called phreaking, a play on the words phone freak. Phishing uses similar wordplay to metaphorically describe “fishing” for information. Similar to actual fishing, scammers first bait prospective victims with false information before hooking and capturing information.
This entry begins with a discussion of the escalation and anatomy of phishing attacks, followed by a description of popular forms of phishing. Finally, this entry examines the detection and policing of phishing incidents.
The numbers of phishing incidents have risen significantly in the past few years. According to the computer security firm RSA (Ron Rivest, Adi Shamir, and Leonard Adleman), there was on average 36,980 unique phishing attacks per month worldwide from August 2011 to August 2012, an increase of nearly 55%. A 2009 PhishTank study of 3 million banking customers over a 3-month period revealed that 45% of bank customers who were redirected to phishing sites divulged their bank login information. In 2011, the Federal Bureau of Investigation (FBI) received nearly 28,000 victim complaints of a type of phishing attack called advance fee frauds.
The escalation in phishing attacks can be attributed in part to the growing range of potential victims. Attackers are increasingly targeting users of smartphones, computer tablets, and other portable computing devices, which are increasingly used for online banking and e-commerce. In addition, social network users are being targeted by phishing scams. For example, one Facebook phishing scam baits users to click on a link, such as a viral video, which redirects the user to a phony account security verification page that solicits personal information.
Phishing attacks can be potentially more harmful in nature with the installation and spread of unauthorized software. Malicious software, or malware, is a broad term used to describe a variety of unauthorized computer code, such as viruses, worms, spyware, and adware that can compromise personal computer systems and networks. Computer viruses, for example, are self-replicating software that can spread to other computer systems, where they can steal sensitive information (spyware), propagate unwanted advertisements (adware), and disrupt larger networks. For example, an attacker can take control of a network of infected “zombie” computers, known as a “botnet,” that can be used for a variety of nefarious purposes, ranging from sending unsolicited advertisements (spam) to executing a distributed denial-of-service attack that disables websites by overwhelming their servers with requests or gaining access to networks, where information can be collected and sent to attackers.
Attackers often appeal to potential victims into cooperating by employing emotional prompts. Attackers often create a sense of urgency in their message, appeal to the potential victim's greed with outlandish offers, make false accusations posing as federal agencies, and even scare victims into believing that they have been a victim of fraud by falsely representing a financial institution. Ironically, even phishing and Internet scam enforcement groups have been emulated by fraudsters. For example, scammers have impersonated representatives of the Better Business Bureau's Complaints Department, which deals with phishing scams.
Once trust is established, victims often disclose information directly to a scammer or indirectly via a link that redirects them to a legitimate-looking website. For example, many phony websites contain official company images and logos to create realistic-looking pages that are often indistinguishable from legitimate sites. More sophisticated attackers may employ a “man in the middle”–type attack, whereby information is intercepted before redirecting the victim to the legitimate website.
Spear phishing is a targeted phishing attack against an individual or an organization using specific information about the target to gain a victim's trust. In comparison, more generalized phishing casts a broader general lure, such as a generic e-mail to multiple recipients simultaneously. Spear phishers, however, obtain some specific information about the target before implementing their attack. For example, scammers can impersonate the victim's company technical help desk to convince the potential victim to provide personal information. A scammer can also gather information from a company's website, the victim's social networking page or personal blog, or even an organization's computer network through a previous hack, before contacting the potential victim.
A specific type of spear phishing that targets more lucrative upper managers is referred to as “whaling.” In 2008, the FBI investigated a large-scale whaling scheme where 20,000 corporate executives received a fake FBI e-mail subpoena to click on a link that installed software that captured and sent their passwords to the attackers.
Clone phishing involves an attacker sending a spoofed, or fraudulently copied, e-mail to make it appear as if it was sent by the original sender. The attacker extracts information from an authentic e-mail, such as the content and e-mail path, before sending a subsequent fraudulent e-mail. A scammer can resend a duplicate of an original e-mail message and replace only an attachment or link. Unsuspecting victims opening the attachment or link believing it was sent from the real sender may unwittingly install malware or be subjected to disclosing personal information. Attackers can also steal e-mail login information by sending the legitimate e-mail owner a password reset link.
Advance fee scams solicit advanced payment in some type of proposal that falsely promises larger returns in the form of money, products, or services. The most infamous Internet advance fee frauds are Nigerian 419 scams, named after the Nigerian felony penal code for defrauding victims under false pretenses. These 419 scammers initially contact victims with business proposals promising unrealistically large rewards for their assistance. For example, scammers often masquerade as official bank agents or beneficiaries of a very large fund who need the victim's advance fee to “release” the money. Some victims are often further coaxed by religious appeals and sympathy for victims of recent disasters.
Victims who respond often face an endless cycle of escalating fees and further victimization. Some victims who have paid tens of thousands of dollars attempting to collect their promised rewards received nothing more than pieces of black paper purported to be cash concealed with a protective coating of black ink. Many pay extra for supposed special chemicals that remove the black ink. In some cases, this black cash is presented in potentially dangerous face-to-face meetings with scammers. The U.S. State Department has 15 documented cases of murdered or missing individuals related to Nigerian advance fee scams from 1992 to 1995. In 2009, two men in New York were gunned down at home during a meeting with scammers.
Victims of phishing attacks may unknowingly install ransomware to their computer, a type of malware that extorts victims by locking them out of their computers or encrypting their data. The victim must pay a ransom to an attacker to receive a code that unlocks or decrypts their information. Some attackers threaten to destroy or disclose sensitive information. In most cases, however, a fake government notification informs the victim that an illegal activity was detected on their computer and ordered to pay a fine in order to avoid prosecution and restore the computer to its full functionality.
Phishing remains a significant problem despite affecting a relatively small fraction of total Internet users. The growing number of Internet users coupled with the ease and low cost of carrying out phishing attacks have exposed virtually every e-mail user to phishing attacks. According to Internet security firm Symantec, nearly 1 in every 508 e-mails was identified as phishing in January 2013.
While phishing victims are often criticized for being gullible to obvious scams, many informed Internet users are fooled by increasingly clever and sophisticated attacks. For example, even highly educated and intelligent individuals fall prey to phishing attacks. In 2005, internationally renowned psychiatrist Dr. Louis Gottschalk lost nearly $3 million over a 10-year span to a Nigerian scammer, believing he would be receiving $20 million in return trapped in African bank accounts.
Sophisticated phishing detection and filtering technologies employed by companies, such as Microsoft, Google, and Yahoo!, have not prevented victimization. Since phishing is a form of social engineering that works by manipulating the trust of individuals, many electronic security measures are circumvented by end users who authorize malware installation by clicking on links and opening attached files contained in e-mails. Furthermore, once malware is introduced into a home or organization's computer network, it can potentially allow attackers to victimize other users, steal private information, and disrupt entire network operations.
The enforcement of phishing has been very limited. As such, most organizations, including law enforcement organizations, mainly focus on prevention through public awareness. Most federal agency websites, such as those of the FBI, Securities and Exchange Commission, and Internal Revenue Service, warn users on how to protect against phishing scams. The FBI and National White Collar Crime Center run the Internet Crime Complaint Center, where victims can file a complaint. Due to the high volume of complaints, only a small percentage is fully investigated by law enforcement. Moreover, victims rarely get any of their money back.
Several key groups police phishing. First, private companies employ various technologies to stop phishing. Free webmail service providers, such as Google, Microsoft, and Yahoo!, employ filtering technologies. In addition, operating systems, web browsers, and antivirus software have become more sophisticated in detecting and preventing malware. However, as mentioned, many end users can still circumvent these safeguards by ignoring these warnings and permitting its installation.
Second, some private organizations focus specifically on phishing. For example, the Anti-Phishing Working Group collects and analyzes phishing attacks submitted by Internet users. The 419 Eater group targets Nigerian scammers by engaging in time-wasting dialogues with scammers.
Third, public-private alliances have formed to defend against phishing attacks. The Internet Crime Complaint Center, for example, has sustained partnerships with public and private organizations, such as the Business Software Alliance, eBay, the Federal Trade Commission, and Microsoft.
Finally, international governments have stepped up their efforts in fighting phishing. Arrests have been made in Nigeria, Zaire, Ghana, and India in the past few years. Nigeria's Economic and Financial Crimes Commission has been aggressively policing Internet cafes and other phishing hot spots and launched a public awareness campaign to fix the country's image of tacitly accepting phishing as an industry.
Anti-Phishing Working Group (APWG): http://www.antiphishing.org
419 Eater group: http://www.419eater.com
Internet Crime Complaint Center (IC3): http://www.ic3.gov/default.aspx
See also: Cybercrime; Digital Piracy; Fraud; Spamming
Related Credo Articles
Phishing is the act of enticing a person into revealing private information by masquerading as a trustworthy entity. Phishing can be used to steal a
What is phishing? Phishing is when a spammer sends out an email, with content that makes the recipient think that it is a legitimate site, in hop
Phishing refers to the fraudulent activity of sending an e-mail under false pretenses with the goal of obtaining bank account or credit card informa