Welcome to Computerworld.com's new monthly column on IT ethics by Larry Ponemon.
The Ponemon Institute in Tucson, Ariz., conducts independent research and education designed to advance ethical information and privacy management practices in government and business. To learn more about your interests and perceptions about these issues, we plan to ask a few questions at the end of each monthly column. We hope you will take a few minutes to respond (editor's note: The survey is now closed). If you have any questions, please e-mail us at research@ponemon.org.
Tom was an avid collector of antique train sets. One morning while scanning his e-mail, he noticed one from an online auction site from which he purchased a good part of his collection.
The e-mail had the familiar logos and graphics Tom was accustomed to seeing with a tempting message that he could purchase a 1938 Lionel caboose for less than $50. The message was irresistible. Tom provided his credit card number and shipping address. The site also asked for his Social Security number. Not thinking twice, Tom entered the nine digits. The next day, on his way to the grocery store, Tom stopped at his bank's ATM. To his horror, his balance was zero. He also found that his savings account was wiped out. A "phisherman" had hooked another victim.
The typical phishing experience starts with the receipt of a fake e-mail. The e-mail sender and subject line claims to be from a legitimate, trusted source such as an online auctioneer, bank, mortgage broker, credit card company or Web retailer.
A common message is a "customer service request" asking subjects to click onto a Web site, supposedly to resolve a glitch or problem within their account, perhaps to reset a password or personal identification number. As in the case above, it can also be an offer to purchase a product or service.
Because the fake e-mail often starts with a blast to millions of randomly selected e-mail addresses, most people don't respond because they don't have an existing business relationship. The goal for the criminal is to cast the net as wide as possible, luring in a few susceptible people who believe this is a legitimate request for information.
While the mere act of reading the e-mail advertisement or Web site can unleash a persistent cookie or Web beacon onto the user's computer system, the more serious security problem arises when the individual visits the spoofed Web site. The best spoofers do an excellent job of re-creating the real corporate Web site, making it almost impossible to detect the imposter. Once someone is on the site, more insidious technologies, such as spyware and Trojan horse programs, can be sent to the visitor's system. These technologies are used to tag someone as a gullible victim for a future scam.
More serious problems arise if users enter sensitive personal information onto the Web site page. Requested information often includes date of birth, Social Security number, credit card numbers, bank accounts, passwords and so forth.
Consumers aren't the only ones threatened by phishing and spoofing. Web retailers, banks and other online businesses risk losing customers' confidence, loyalty and valued relationships if they don't respond appropriately and quickly to customers who have been victimized.
Ponemon Institute just completed a study of one spoofing and phishing event that occurred in early May 2004 that victimized over 1 million customers of a major retail bank. We surveyed a random sample of 411 bank customers -- all of whom received the fake e-mail about an account security glitch. All of the selected customers claimed to have clicked to the spoofed Web site. In addition, all of the individuals contacted the bank's toll-free customer service help line for guidance or support. The following are the most salient findings:
Of the 411 customers, only 65 (16%) provided personal information on the spoofed Web site, which included their account numbers and confidential access codes for automated teller machines and check cashing. Of the 65 duped customers, only five experienced an unauthorized account penetration, and only one had a confirmed case of identity theft. The total estimated loss for this group of known victims was just under $50,000.
In total, 310 individuals felt that the bank didn't provide adequate guidance to them. Most of these people felt that the bank's customer service representatives weren't prepared to respond to the problem. Some of the bank employees suggested that this wasn't the bank's problem because it couldn't control spoofing. Of this group of dissatisfied bank customers, 243 (78%) decided to terminate their banking relationship as a result of their experience.
The remaining 101 bank customers felt that the bank did an adequate job in guiding them through the spoofing and phishing event. Only one person (1%) in this group suggested that he would terminate the banking relationship as a result of being spoofed.
Stop the Blame Game
In the case of Tom the train collector, who should be blamed? Is it the online auctioneer that was unaware of the fraudulent e-mail spam? Is it Tom? After all, shouldn't he know better than to provide his Social Security number?
Because the stakes are high for both consumers and businesses, we believe everyone should share the responsibility of cutting the phishing line. We recommend that organizations take the following actions:
- Use enabling technologies to search or crawl the Internet and identify illegal domains and Web sites that contain your corporate logos or intellectual property. Many major brands have been targeted by cybercriminals. Unless you authenticate all the Web sites and domains that feature your brand, your customers are at risk.
- Educate your customers about the dangers of phishing, spoofing and faked e-mails. Inform them that you are taking steps to address the problem. For example, eBay Inc. alerts customers on its Web site to spoofing messages. Consumers can also check with the online auction marketplace about any suspicious e-mails they receive under the guise of being from eBay.
- Make sure your employees -- especially those in customer service -- understand the seriousness of the problem and can respond when customers contact your organization for help in resolving a phishing or spoofing attack.
- Learn more about new technologies that will allow e-mail messages to be registered with a trusted identity and prevent counterfeit Web sites. The concept is similar to the watermarks created by the U.S. Mint to prevent the printing of counterfeit money. Also, Microsoft Corp. has announced its Sender ID technology to validate the server IP address of the sender to assure an e-mail recipient that a message claiming to be from a company or financial institution actually is.
- Pretend you are a customer interested in more information about your company. Use a search engine such as Google to find what Web sites appear under your brand name or an approximation of your brand name. Sophisticated spoofers will create fraudulent Web sites that are very close to your name. For one well-known example, WhiteHouse.gov is the official site of the U.S. president. But, whitehouse.com takes you to a pornography Web site and unleashes a cookie.
In turn, when you're home as an online consumer instead of at work as an IT professional, you shouldn't be complacent. If you receive a suspicious e-mail from an organization you do business with, take the time to contact the organization and notify its customer service department about your concerns.
Counterfeit or fraudulent e-mails and Web sites are a growing and serious problem for everyone who uses the Internet. By luring unsuspecting Internet users to provide sensitive or confidential information, cybercriminals and terrorists have greatly enhanced their ability to steal identities and threaten people's assets. The best defense is for everyone to become proactive in stopping the phisherman's hook.
Dr. Larry Ponemon is founder and chairman of Ponemon Institute, a think tank dedicated to ethical information management practices and research. He is also an adjunct professor of ethics and privacy at Carnegie Mellon University's CIO Institute and is a CyLab faculty member. Ponemon can be reached at larry@ponemon.org.