The legitimate use of Email in business to consumer and business to business communication and marketing is becoming ever more threatened by the rise in unsolicited Email (spam) and more particularly fraudulent messages seeking to steal customers' private information (phishing).
A business may wish to legitimately remind a customer that an account statement is ready for review, that an invoice is due for payment, a statutory declaration is due to be made or simply advise them of a new product or service that the user, their customer, may be interested in. Many of these notices require the user to visit a website and login or at least identify themselves to be able to view details, download information or make changes to their account. A typical message will therefore provide (i) notice of the action the user will need to take and (ii) a hyperlink direct to the appropriate webpage. This allows the user to easily act on the notice.
‘Phishing’ is a technique where a fraudulent website is created and then fraudulent Emails are sent which encourage the recipient to follow links in the message to the fraudulent site. Once there the user is asked to reveal private information, for example by supposedly re-verifying Paypal® or bank account details. A recent phishing Email claims to come from HM Revenue & Customs and advises the recipient that they are eligible for a tax refund if they provide the details of a debit or credit card to which the refund can be made. These details are simply forwarded to the fraudster for illicit use.
Phishing Emails are distributed to huge lists of addresses, often to many people who don't have any connection with the business mentioned in the Email. This isn't an issue so long as the fraudster can reach a sufficient number of recipients who do hold such a bank account and are then fooled into revealing their details such as bank account or login information.
Often the fraudulent sites are ‘skimmed’ from the real site and so look identical to the real site. Often these ‘phishing sites’ are placed on compromised legitimate web servers without the knowledge of the owner, providing the fraudster a convenient hosting solution with no link back to themselves. The creation of these ‘sites’ is becoming every more automated with the fraudster able to ‘skim’ the real site and place a copy on a compromised host within a few minutes, thereby incorporating any recent site design or security details into the fraudulent site often including warnings about fraudulent Emails. The fraudulent sites can therefore look highly convincing, as can the phishing Emails.
A variety of solutions currently exist to try to tackle phishing fraud, all of them with some drawbacks. There are monitoring services that try and identify phishing sites early and arrange for the removal of the phishing pages. However, this approach can only ever have an effect after the phishing attack has already started. A site cannot be removed until that site has been created and even then removal can take several days as the compromised web server hosting the phishing page may be anywhere on the Internet—and hence anywhere in the world—and the server owner may be slow or even reluctant to act. Banks and other institutions often need to resort to legal threats to ensure the removal of a phishing site. A similar problem affects the browser plug-ins often incorporated into Internet Security products that attempt to detect phishing websites by checking against lists of known sites. The list can only include a site after that site has been created and already begun to function.
Email filters can help reduce phishing attacks, but they are subject to the same techniques used by other sorts of spam such as the use of images instead of text to ensure that spam filters do not detect them. In addition, filters that work by identifying links in messages to a domain other than the one from which the Email is sent are likely to cause problems with legitimate Email where a business uses outsourced Email sending services.
Server certificates provide the basis for secure, encrypted communication between the user and the website. These certificates also provide a ‘certification path’ that shows both who issued the certificate and to whom it was issued, thereby assuring the user that they are truly accessing a website operated by the organisation they believe they are dealing with. However many users do not have the level of technical knowledge necessary to take advantage of this. Therefore this solution while technically available is not practicable for widespread general use.
Other solutions, such as the use of digital certificates or card readers, require the user to install extra software or hardware on their computer. Therefore the user cannot access their account on any other computer unless they go through another cumbersome installation process.
A final group of solutions attempts to reduce the harm in losing a password. For example, the user may be provided with one-off or time-sensitive passwords. Hence the user has a list of passwords that are either valid only once or only for a particular time on a particular day, as is the case with the RSA SecurID® system which relies upon the user having an electronic password generator that changes the password every sixty seconds. However, these solutions are still vulnerable to an emerging form of ‘man-in-the-middle’ phishing attack. Even if the password is time sensitive or for once-only use, the phisher can still access the user's account if the user can be fooled into providing the time sensitive or once-only use password to the phisher who then uses it immediately with the live site, often without the user being aware of the theft of their password. Also, when a list or time sensitive password is used the user can no longer simply remember the password, so the physical record or password generation device the user has to keep is also open to abuse or theft and associated replacement costs.
Another variation is to use a long password and ask only for a few characters from it. How effective this is depends upon how long the password is and an effective scam might give a user an apparent login failure first time around and so get them to provide two sets of ‘random’ letters, selected to ensure the phisher could obtain the maximum number of letters from the password. From this the password might even be guessed. The Entrust®IdentityGuard system provides the user with an alphanumeric grid from which only a few numbers or letters will be requested each time. This sort of system enhances security, but requires the distribution of cards without which the user cannot access their account, and which are open to abuse if they fall into the wrong hands. This form of system is also open to ‘man-in-the-middle’ attack if the user can be fooled into providing details to a fraudulent site.
The dramatic rise in these phishing Emails is causing users to question legitimate Emails making it ever more difficult for e-based businesses to communicate with their online users. Apart from the financial costs due to theft incurred by a business when user accounts are compromised, there are the costs associated with the bad publicity and fear of fraud among users. There is also considerable expense to the business in fraud detection, prevention and pursuit.