What is Phishing?

  

How does PhishCops® work?

 

 

  

 
 

Phishing: The Fastest Growing Form of Identity Theft

 

  

 

Unauthorized access to financial accounts through phishing is the fastest growing form of identity theft. The U.S. Federal Deposit Insurance Corporation (FDIC) recently produced a study finding that, during 2003, almost ten million Americans were the victims of identity theft, with a total cost to businesses and consumers approaching $50 billion dollars. Identity theft is of particular concern to financial institutions and to their customers. The FDIC estimates almost 2 million U.S. internet users encountered some form of phishing during 2004. Of those, 70 percent do their banking or pay their bills online and over half believed they received a phishing e-mail. As a result, consumers are becoming uneasy about using the internet to conduct financial transactions and experts believe that phishing is slowing the growth of online banking and e-commerce worldwide.

Phishing: How is it Perpetrated?

 

Phishing is easy to implement and financial service companies are the most frequent targets of phishing attacks. In phishing, consumers are deceived - normally via deceptive e-mails, instant messages, DNS poisoning (pharming), text messaging, and through other communication methods, into visiting counterfeit (phishing) webpages where they are tricked into providing fraudsters with their user names, passwords, and other confidential information.

While e-mail is no longer the sole method of launching a phishing attack, the classic phishing attack involves a deceptive e-mail that purports to be from a legitimate financial institution. The e-mail typically tells the customer that there is some sort of problem with the customer’s account and usually includes a hyperlink to a phishing webpage that looks exactly like the webpage of a legitimate financial institution with which the consumer does business. The e-mail instructs the recipient to click on the included hyperlink, go to the financial institution webpage, and log in to their account in order to “fix” the problem. In other attacks, consumers are directed to a phishing webpage in the hopes of receiving some form of reward. In reality, the phishing webpage is simply collecting customer user names and passwords in order to hijack accounts. The following is an example of an actual phishing e-mail:

Click to see larger image
Example: Spoof email.
Click to view larger image

Once the customer has entered their user name and password into the phishing webpage, they are typically re-directed to the actual financial institution webpage with instructions to try again. Since their login succeeds on the actual webpage, they are completely unaware that they have just provided a phisher with complete access to their financial account. Usually, the first indication they have that there is a problem is when they discover, too late, that their account is empty. By that time, the phisher has already transferred their funds into another financial account, emptied and closed that other account, and then disappeared.

Phishing: What Has Been Tried to Stop it?

 

Until recently, there have been few solutions to combat phishing. Internet Service Providers (ISPs) have experimented unsuccessfully with various forms of "filtering" or "blocking" software or hardware to try and shut down phishing webpages before their customers were affected. Unfortunately, most experts agree that such "filtering" approaches are fundamentally flawed for many reasons, including:

  • The number of phishing webpages is increasing faster than they can be identified and shut down by the ISPs.  The Anti-Phishing Working Group (APWG) reported 2625 new phishing web-pages spawned in February 2005 alone.  The majority go undetected and unreported.
     
  • Filtering or blocking a phishing webpage from reaching consumers can only occur after the phishing webpage has been detected by, or reported to, the ISP.  By that time, however, the phishing attack has typically already been launched.  Such “post-attack” remedies are akin to “closing the barn door after the cow has already escaped”.
     
  • Many Internet Service Providers resist imposing filtering software on their systems.
     
  • Many Internet Service Providers are located in foreign countries where it is difficult to coordinate or enforce filtering efforts.
     
  • Some Internet Service Providers actually encourage the propagation of phishing webpages since it results in increased local hosting revenues.

Companies such as Microsoft and Symantec have spent enormous sums of money attempting to develop software-based solutions such as "Sender ID", browser "toolbar" controls, and other forms of digital signature recognition software. These software-based approaches are flawed for many reasons, including:

  • They depend on consumers being willing and able to install software, proprietary browsers, or other controls onto their local computer systems.  Consumers have been resistant to such efforts.
     
  • The various software tools are incompatible with each other, with one tool blocking websites that have registered with a competitor.  This results in erroneous and selective blocking by the different software solutions because of a website being perceived as being “unsigned” when it has, in fact, simply registered with a competitor or chosen not to participate at all.
     
  • Given the diversity of operating systems, browsers, and software drivers around the world, no single software system will be installable and useable by 100% of the internet audience.
     
  • For each new phishing webpage that is identified, the database of known phishing websites must also be updated. Experts agree this is a hopeless task since the number of phishing webpages is growing faster than they can be shutdown. Also, by the time a phishing website is identified and reported, it is too late since the attack has already been launched.
     
  • The vast majority of websites are maintained by small businesses or individuals, many of whom elect not to register their website with the ID Authority for personal or financial reasons.  As a result, consumers who subscribe to such software systems are unable to reach a large number of, otherwise valid, websites.
     
  • Such solutions are not voluntary.  Requiring a business owner to register their website with the ID Authority in order to reach their intended consumers, while simultaneously preventing consumers from accessing websites who do not subscribe with the ID Authority, flies in the face of growing demands for GREATER access to the internet by businesses and consumers, not less.

Virtually all anti-phishing efforts to date have focused on one of the above failed approaches. There has been little effort made towards developing an anti-phishing solution that individual business owners can implement themselves, without the assistance of an ISP or software company, and without requiring customers and business owners to give up yet more privacy. As a result, phishing has continued to grow.

In desperation, and without any workable solution, business owners have resorted to simply placing printed warnings on their webpages, urging their customers to check the URL address of any company webpage. These printed warnings represent the most common approach business owners have taken to try and protect their customers from phishing.

Phishing: What is the Solution?

 

PhishCops® is the first solution in the world that actually solves the problem of phishing through true authentication techniques. It is an authoritative, easy-to-implement solution that is invulnerable to hacking, fraud, or abuse. It does not impose software or hardware requirements on business owners or consumers and actually promotes greater privacy for both the business owner and their customers. It is also easy to implement and use. For business owners, implementation involves little more than "copying-and-pasting" traditional html/server-side scripts onto their webpage. In short, the PhishCops® Webpage Authentication Process succeeds because:

  • It is a "two-factor" authentication solution that ALSO authenticates the webpage as recommended by the FDIC and the FFIEC.
  • It uses mathematical algorithms approved by the U.S. Department of Commerce, which results cannot be replicated by phishers.
  • It does not require any hardware or software to be installed. It requires only simple "copy-and-paste" actions by webmasters.  
  • It is 100% internet-based solution, which means it can be used by 100% of the internet audience.
  • It does not interfere with any existing webpage functionality or server processes.
  • It actually promotes business owner and consumer privacy.

To learn more about how the PhishCops® Webpage Authentication Process works, click here.

 

  

 

 

 

Home   |   Sitemap   |   Contact Us   |   Print this Page   |   Search 
© 2008 Sestus Data Company   All Rights Reserved. PhishCops® is Patent Pending.

Toll Free Tel. (800) 788-1927
California (San Francisco) Tel. (415) 963-4124    |   New York (Manhattan) Tel. (718) 841-7350