By Will Sturgeon, 3 May 2005 17:40
NEWS Phishing attacks continue to rise and new research suggests more and more UK internet users are falling foul of the emails which often look to steal personal information relating to online banking and ecommerce.
Many victims also claim their banks aren't doing enough to protect them or compensate them.
According to AOL, five per cent of UK surfers claim to have fallen victim to any kind of online fraud - from phishing scams, fake domain registry renewals and 'Nigerian 419' scams to phoney online auction lots.
In total, one per cent claim to have fallen specifically for phishing scams - a figure which points towards hundreds of thousands of victims across the country.
Of those who have been victims of phishing, 53 per cent claimed not to have received compensation for their losses from their bank or credit card company.
Email filtering firm Postini claims the total number of phishing scams has decreased month-on-month but this may signify a move towards more sophisticated, less scatter gun attacks and may yet be the precursor to a rebound to new highs, according to Scott Petry, founder and senior vice president of Postini.
Petry told silicon.com: "I'm shocked at the number of people who have been victim to these kinds of scams on one level but then I realise how many gullible people there are out there. If people see something in front of them which looks genuine they tend to take for granted it is."
Petry believes the massive rise in phishing attacks was symptomatic of the spammers' attempts to ensure reasonable returns. "The reaction to more pervasive filters was simply increase the volume," he said.
But now he believes sophistication is also increasing - perhaps suggesting fewer emails are required for similar returns.
The drop witnessed by Postini, which claims to have scanned 14.9 billion emails last month, detecting more than nine million phishing scams - a 45 per cent drop month-on-month - may also be due to ISPs blacklisting servers, bot-nets being closed or individual machines being decommissioned in significant enough numbers to have an impact.
But as fresh machines become compromised and the spammers move on to pastures new it's likely the numbers will increase. "We'll continue to see peaks and troughs," said Petry.
Many in the industry believe banks still need to do more.
LloydsTSB, for example, recently announced it will start to contact customers again via email, adding to the confusion over whether banks will or won't contact customers in this way.
Although LloydsTSB's email claimed it will never ask customers to divulge personal data, and provided a freephone number for customers who wanted to check the validity of the email, such a lack of clarity across the industry helps create a culture of uncertainty ripe for harvesting by the phishers.
Petry believes banks simply can't help themselves.
"I believe email is too valuable a marketing tool for the banks to ignore."
But while they can't help themselves, they must help their customers said Petry.
"I think banks need to be more active in driving authentication, validation and certification," he said, referencing authentication services which will query domains and IP addresses.
"They may not want to bear the cost of doing so, or pass those costs onto customers but that's what's happening with the cost of compensation anyway. This way they will at least benefit from the goodwill factor," he added.
Comments
There are 14 comments. Join the discussion
1. anonymous
totally agree...i have been with Wells Fargo for 5 years and they are doing nothing for ensuring that i am who i say i am. They made me sign up with my soc # as my user name and still wont let me change it.
Because of this, I recently put all of my money to eTrade and use a one time password token.
...i feel safer anyhow.
2. Ian Sargent
I'm getting two or three phishing e-mails per month. Each time I try to report it to the bank or credit card concerned, but some of them make it very difficult as they don't publish any e-mail addresses on their web site for security issues raised by non-customers.
3. Joe Whitehead
I have a netspend VISA exactly for that reason - banks and credit unions often don't seem to care about fruad unless you show up at the bank manager's office once a week.
4. Nigel Moore
Having been the lucky recipient of two phishing emails purporting to come from Barclays - in the month after two fraudulent transactions appeared on my Barclaycard credit card statement - I wrote (as in snail mail) to Barclaycard enclosing a copy of the first phish and offered to forward the whole email for their follow up. A month later I'm still waiting for a response, and imagine I will still be in ten years time.
5. anonymous
As a domain registrar we receive loads of phishing email every month - I used to copy the header information and email it along with the offending message - never once have I received an acknowlegement from any financial institution, they simply do not care.
6. Geoffrey Darnton
Banks could help a lot more - I get a lot of these phishing emails. At first I tried to forward them to the banks concerned so their fraud departments could investigate immediately and try ti track the scammers and supporting ISPs - this was very difficult. The banks should learn from eBay and PayPal - for both of those they have a simple spoof email address (e.g. spoof@ebay.co.uk) - they can get copies of spoofing emails immediately.
7. Joe
why are people so stupid ?
I have never fallen foul of this phishing malarky because of 2 strong principles i adhere to...
1) Do not do online banking YET
2) Never put details on a randomly sent weblink.
I have studied phishing scams and to be honest you can tell them a mile away.
http://www.schneier.com/blog/ gives great advice on what to look out for on web fraud.
8. Bill cunningham
If your dumb enough to fall for these scams, then it's true.. A fool and his money ARE soon parted!
9. Glenn Richards
I have to agree with Bill Cunningham (although the saying is ".........are easily parted") How do people fall for these scams?
10. Ruth
I'm very lucky as all the phishing e-mails I've received refer to banks/building societies I don't have accounts with so I know they're fake. However, although the majorrity of them are very crude & obvious some of them are very smooth & even give a phone number to call if you've got any questions about what they're asking you to do so I can understand a client falling for them. I've also had some very clever eBay ones but I've scuppered that by sending them to eBay first to ensure they are fakes. Re response from banks - I had a phish purportedly from HSBC the other day - e-mailed it on to them & had a response back thanking me for bringing it to their attention.
11. anonymous
Sainsburys Bank have been annoying me with telephone calls, in which they ask me for personal information (mother's maiden name etc) without revealing or proving their identity.
This surely encourages the public to supply phishers with sufficient information to directly access their accounts.
If they need to call they should ask to be rung back using the number supplied on previous correspondence.
12. Sharon Jones
I'm in Britain and can agree that the phish emails are getting pretty sophistocated, luckily I haven't been caught out yet as I'm more than a little paranoid about security. A site I would like to commend for the way it allows you to check whether your emails ARE phish or not, is Ebay. You get an email from them (allegedly) and you can go straight to their sight and check because they always put a copy of their email in you summary sector. A simple but very effective security measure.
13. anonymous
What's even worse than getting phishes is reading messages from smug arrogant gits on boards like this suggesting that only fools fall for phishes.
Apart from the fact that I probably know about 6 types of scam that they don't know about, the Internet is for everyone, young or old, smart or slow, gullible or cynical, webmaster or someone who just connected for the first time today.
Btw, scams like this not only harm the economy by keeping older folks out of the Internet, they also fund organised crime.
14. Witheld for security reasons!
I agree that banks etc should decide what to do. I regularly receive 'phishing' emails that appear to come from institutions that I may or may not have an account with but now receive an email each month from a credit card company (should they remain MBNAmeless?) telling me 'my statement is in the post but I can always see it online..'. It has all the hallmarks of being 'phishy' because the links take you to a different address than the normal online address! Logging into the real site requires you to enter a user name and your whole password.....there really is just no helping some people!
I agree with the contributor who complained about unsolicited calls from banks in which thay ask you for proof of ID, Thank you, I shall refuse from now on.