New Anti-Phishing Law Lacks Global Weight
Security experts agree the anti-phishing legislation introduced last month is a good first step. But they also agree there are bigger ''phish'' to fry in the war against online fraud.
The Anti-Phishing Act of 2005, put forth by Sen. Patrick Leahy (D-Vt.), calls for the criminalization of two essential parts of phishing attacks: The creation and procurement of Web sites with the intent to gather information from victims to be used for fraud or identity theft; and the creation or procurement of e-mail that represents itself as a legitimate business with similar intent.
''The digital age has fostered new types of cyberscams like phishing, costing consumers and businesses billions of dollars a year and undermining confidence in the Internet,'' Leahy says. ''When people cannot trust that Web sites are what they appear to be, they will not use the Internet for their secure transactions.''
It's the threat of consumers turning away from online transactions that has the business and security communities worried. And while they applaud Leahy for his efforts to help law enforcement catch and prosecute phishers before they commit serious crimes, they warn that the act only covers attacks within the U.S.
Cassidy says conventional phishing is steadily rising in terms of e-mails that go out and servers that are enlisted in scam campaigns. In fact, according to a January report from the APWG, 80 percent of phishing attacks are conducted in the financial services sector. Cassidy says banks are getting much better and quicker about stopping the attacks, using monitoring and detection tools as well as browser-based heuristics.
However, he adds that phishers also are getting better at creating new tactics. ''There's an escalating confrontation between phishing and counter-phishing movements.''
In fact, security experts are seeing an influx of new phishing techniques that bypass e-mail altogether.
''We're seeing a migration of phishing toward malware,'' says John Ball, senior product manager at WholeSecurity, Inc., an Austin, Texas-based developer of anti-phishing tools. ''Trojan horses are being downloaded to machines when you click on a URL.'' That malware is then used to collect keystrokes, gathering usernames, passwords and account numbers that the victim enters into legitimate Web sites.
Stopping these types of attacks, which are sometimes referred to as technical subterfuge, is difficult, Ball says. ''People want to click on URLs. They're curious. And phishers rely on social engineering.''
The real harm in all of this, in addition to the financial losses caused by identity theft, is the damage done to corporations' brand and valuation.
''Financial institutions have made infrastructure changes that they can't go back from,'' says Craig Spiezle, director of history and external relations at Microsoft in Redmond, Wa. Banks rely on online transactions, stock trades are confirmed electronically, 401k program statements are sent over the Internet, he notes.
''They've moved to the electronic age and phishing risks undermine this,'' he says. If consumers lose confidence in doing business online, companies have no means to reinstate their ''live'' infrastructure. ''No one wants to wait for this to go out of control. That's why they're spending so many resources to work on the problem.''
One such effort was announced in December. Digital PhishNet is a coalition of companies and federal agencies -- Microsoft, America Online, Inc., VeriSign, Inc., Earthlink, Inc. the FBI, the FTC and the U.S. Secret Service. The group's goal is to provide a single avenue for communication among the industry and law enforcement to help catch phishers in a timely fashion.
Spiezle says the group already has seen success by stopping a fraudulent e-mail regarding the tsunami relief effort. With the help of Digital PhishNet, ''we were able to catch the person within 28 hours,'' he says.
Industry analysts say coalitions and legislation tackle one part of the problem. But user education is a far greater challenge.
''We have to teach people to behave in ways that are defensive,'' says Mark Gibbs, president of Gibbs & Co., a California-based Internet consultancy.
Gibbs says companies doing business online, such as banks, should have a better strategy for authenticating their communications with customers. He argues that the industry should have a universal online agreement that users can be trained to understand ''in much the same way children learn not to go with strangers''. The strategy would have to include simple rules, such as letting users know that no legitimate email would include a link for users to click on.
WholeSecurity's Ball agrees that consumer awareness is key.
''The government should be educating consumers on this type of threat,'' he says. ''There will always be people who fall for phishing attacks, but you can reduce the impact.''