Read also: New Multi-Group Attack against Phishing, ID Theft Scams
Last week the National Consumers League released “A Call for Action: Report from the National Consumers League Anti-Phishing Retreat.” I was the “reporter” for the project — the lead writer. This column highlights some of the promising new approaches that we discuss in the Report.
You have almost certainly received a “phishing” email, likely from a bank or online retailer. (Special for tax season — phony emails that say they are from the IRS.) It usually says something like: “Emergency Account Notice: You Must Respond.” If you open the email, it typically says that your account will be cancelled (or something else terrible will happen to you). To avoid the problem, you must go to a web site and enter your name, account number, password, Social Security number, etc=, in order to “verify” and “reactivate” your account. Don’t do it! The web site is gathering your personal information in order to resell it, likely to an identity theft ring.
The Report has graphics of the “Internet Fraud Battlefield” that shows the variety of phishing attacks that have spread rapidly in the last 18 months. A first threat from phishing is fraud — consumers have their accounts hijacked or their identities stolen. Perhaps an even bigger threat is that consumers don’t know when to trust their email. That’s a big threat to online commerce — will you trust an email that says it is from your bank? It’s even a threat to the usefulness of the Internet, and polls show substantial numbers of consumers reducing their participation in online purchases and other activities.
The Report draws on a retreat last fall that had all sorts of stakeholders meet for three days to hash out better solutions to the phishing problem. Some of the solutions are familiar but worth re-emphasizing, including funds for consumer education and the need to make systems “secure by design,” with defaults that protect consumers.
I want to highlight, though, three ideas that haven’t really been used to date.
1. Use false information to hook the phishers. The goal for the phishers is to get your personal information and then use it to hijack your account or steal your identity. Here’s a strategy for the good guys — feed the phishers false account information. Then, when the phishers try to use that information, the false account information is evidence that they are criminals.
2. Create an Anti-Phishing Task Force that disrupts the “life cycle of the phisher.” The report highlights the moments of maximum risk for the criminals themselves, such as when they try to recruit confederates, turn the personal information into cash, or launder the proceeds. Phishing is a national and international problem on the Internet. I believe the Federal Trade Commission and the Justice Department should work with the private sector to create an Anti-Phishing Task Force that uses undercover agents, false account information, and other tools to catch the criminals.
3. Use a “phishing recall” approach to protect consumers. At the retreat, we learned that the average email sits in a consumer’s in box for 12 hours before it is read. This 12 hours is a window of opportunity. The idea is that phishing web sites can be spotted once they appear on the Internet. For the emails that send people to those sites, “recall” the emails from the in box (or place a warning on them). That way, consumers won’t even have to see the phishing emails once the techies have identified a phishing site.
The Report contains other proposals for addressing the fast-growing problem of phishing. Working groups are now being formed by the National Consumers League to move ahead. Step one is for consumers to learn more about the problem of phishing and to be careful about turning over passwords and account information. Step two is to get to work on the Report’s recommendations.
Read also: New Multi-Group Attack against Phishing, ID Theft Scams