• silicon.com
• Technology
• Security

By Dan Ilett, 6 September 2005 14:44

NEWS Scammers are overloading inboxes around the world with emails that purport to be from legitimate firms. These emails, dubbed phishing attacks, ask for personal information from the reader so scammers can steal identities and money. 

Many countries are trying to clamp down on online scammers - recently, for example, police in Brazil arrested 85 people accused of stealing $34m. And software companies - including Microsoft - are rising to the challenge.

But phishing attacks continue to get more sophisticated. It has even been claimed that phishers have been posing as payroll providers to try and steal personal details from corporate HR departments.

John Cheney, CEO of email filtering firm Blackspider, said: "We're seeing new types of phishing attacks. They are more specifically targeted and the level of sophistication is getting higher. It used to be the case that people fell for 419 Nigerian scams but people have become more sophisticated."

Data from the Anti-Phishing Working Group shows the total number of attacks around the world peaked in May at almost 15,000, and fell to 14,135 in July.

By contrast, in the UK in January the number of unique phishing attacks on UK banks was only 20 - which rose to 150 in July, according to Apacs, the Association of Payment and Clearing Systems.

What is also alarming is the steady rise in the use of spyware - in April, 77 attacks contained password stealing programs, a figure which rose to 174 in July.

Banks claim to have lost £12m last year due to phishing scams. When the scams began, they were written in bad English and linked to poor copies of bank websites. But these frauds are becoming increasingly sophisticated, with high quality designs crafted to mimic the original websites.

An Apacs spokeswoman said: "I suppose the biggest change is that the look of the websites is better. In technical terms they have been able to disguise the origin of the site so they look like a real copy."

But she said the banks are now in a better position to track online fraud. Using a combination of behavioural analysis software and education, banks stand a much better chance of preventing fraud in the first place, she said.

"What's changed is the way we've learned to track it," she added.

"Proactively, it is the education of customers. The other thing that is better is monitoring of accounts - with [fraud] much more likely to be picked up."

Companies are offering predictive software that uses the average behaviour of fraudsters to spot rogue transactions. For example, according to Retail Decisions, an identity thief is more likely to buy a size nine shoe - not because they have big feet but because that size of shoe is easier to sell than others.

The next development in the war on phishers is likely to be the adoption of two-factor authentication to bolster security. For example, when banking online a customer might have to use a second password sent to their mobile phone by the bank when logging in.

Banks are working on a standard for forms of two-factor authentication, but APACS could not say when this would be decided.