The Anti-Phishing Working Group (APWG) is an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing. The organization provides a forum to discuss phishing issues, define the scope of the phishing problem in terms of hard and soft costs, and share information and best practices for eliminating the problem. According to the APWG, the average phishing operation nets a 5% return on email spoofs. The percentage is alarming considering millions of addresses are included in a single phishing expedition. If a phisher gets 100 answers to his spoof and successfully scams each one for $100, it’s $100,000 easily made.
The demographic responding to phishing scams run the gamut from the overly trusting elderly to college professors too busy to think twice. As Dave Jevans, Chairman of the APWG explains, many instances of phishing victimization are the result of sheer coincidence. He uses the example of a consumer applying for credit with the local bank. The next day the consumer finds a spoofed email in his inbox and thinks it is related to his credit application. Acting dutifully, he provides his personal information.
While there is a great need for consumer education, the responsibility for preserving consumer trust falls to the corporations themselves. There are things that companies can do today to greatly minimize the effect of phishing, spoofs and spam.
“The APWG is seeing a huge increase in the sophistication of tricks being used to fool users into thinking that they’re going to a valid website. We’ve been seeing a lot of advanced Java scripts that effectively hide the real location of the server. Basically everything you can do to test that you’re really on a valid website will not provide any indication that the site has been spoofed. It’s very difficult for people to detect. In the last six weeks, the APWG has seen two different technologies deployed that effectively create web bars in your browser. Over the last week we’ve also seen the use of secure websites with certificates, displaying the padlock and the look of a secure connection. Of course it’s a secure connection to a phishing site, so they’re upping the game quite a bit,” says Jevans.
What’s a company to do?
“I think a very important step that many companies don’t take, is to educate your customers through warnings posted on your corporate website; detailing the things that you will never ask of your customers, updating them on scams, things of that nature. Companies that don’t take this very basic step are essentially ignoring the problem. “
“Another critical step companies can take is to monitor the registration of what we call ‘cousin domain names’ which are essentially similar to your company’s domain name. A rather famous cousin domain name that appeared recently was visa-security.com. That email was used to launch a phishing attack spoofing Visa and asking people to update their credit card information. Another recent example would be paypalr.com, which was used to obtain Paypal information,” Jevans explains.