Author: Veronica Mun
The history of phishing has proven to be long and successful one. Phishers took advantage of internet users during a time when the notion of email and the internet was still new and exciting, while the notion of security was nonexistent. As naive users opened up emails from banks asking them to verify, validate, or confirm account information, never did they stop to think that the emails were fraudulent. Now, recent phishing attempts have shifted to calling customers by phone with an automated message directing the customer to provide their account information. This concept is known as “vishing”.
Many of these incidents have undoubtedly occurred due to customer ignorance. However, that explanation can only go so far. Security Focus reports that the Anti-Phishing Working Group found that “23,670 total phishing websites [were] used to commit identity theft, fraud and other malicious activity in July 2006” alone! When are businesses going to start taking some responsibility for this large number and realize that they, too, play a part in the big picture on how to protect consumers from phishing fraud?
As an internet user, all I hear constantly is to be weary of fraudulent emails. “Your bank will never ask you for your account information over email.” Sound familiar? All we can do is protect ourselves by not giving away our information. But in this day and age, where everything has gone digital, it is extremely inconvenient and difficult to not partake in the new technologies that are meant to make our lives easier. It seems impractical to setup a feature like online banking, and then have customers not use it because it’s unprotected.
An IRM study reported in ZDNet, investigated 18 banks and their security measures for online banking and other technical procedures. Results showed that all of the banks “failed to provide customers with supplementary authentication tools beyond usernames and passwords. It said 13 of those banks were susceptible to long-term hacking attacks through the use of password-stealing programs and identity theft scams”. The response of The Association of Payment and Clearing Systems (APACS) to the findings was one of defense, claiming the study was inaccurate and skewed.
The study results not only show an astounding rate at which companies are not implementing necessary security measures to safeguard customers, but it also shows APACS lack of interest and dedication to protecting their customers. This becomes a major problem because the banking and financial business is a prime target for phishers to impersonate. Therefore, these companies, especially, should take the time to set up security expectations and normalize security processes. If not taken seriously, the brand will slowly deteriorate and cease to exist, due to company inaction – a sure fire way to lose revenue.
If companies are merely relying on a message at the bottom of an email stating: “This is a legitimate email from CitiBank” to gain customer trust, there is nothing that will stop a phisher from displaying the same message at the bottom of their emails. Safer practices must be implemented in order identify their email as legitimate. This includes setting up new standards for sending email using email encryption tools, and then familiarizing these standards with customers.
If encryption and email anti-theft solutions were applied to send information safely and securely, a customer would have no reason to wonder if the email is a legitimate one, nor would they have to worry about others peeking in on their personal information while it is being transferred from inbox to inbox. In addition, a financial firm or bank can remain confident, knowing that they are doing their utmost to protect client data. It is only when these processes are in place that the full capabilities of email can be put to use without having to worry about data interception. Direct solutions such as these would gain a company much respect and customer loyalty.
Unfortunately, many companies still believe that putting up a firewall and installing spyware is all they need to complete the security paradigm. But that is only the beginning. Different forms of data encryption and multiple forms of user authentication must be put into place. This will not only prevent external attacks but will also mitigate internal threats that may exist within the company. And even after all is said and done, the company employees must be firm and dedicated in enforcing the new level of benchmark security.
In the end, it can be assumed that the phishing and vishing industry will continue to expand as long as profits still exist in the business. Even as this particular threat disappears, another one will be there to take its place. The security holes will not go away by themselves and the longer companies wait to jump on the bandwagon, the longer it will take to catch up. Don’t be left in the dust.
About the Author:
Veronica Mun graduated from the University of Washington where she majored in Communication and Psychology. She is currently a member of the marketing team at Essential Security Software, an emerging email anti-theft software company based in Bellevue, WA.