By now just about every person with an email inbox has been exposed to a phishing scam. Spoofs are showing up with alarming frequency and to make matters worse, criminals have upped the ante with increasingly sophisticated coding and graphics. Gone are the childishly misspelled emails from the High Prince of the Sudan. Advanced techniques leveraging secure phishing servers and high-quality reproductions have contributed to a lucrative criminal enterprise.

The Anti-Phishing Working Group (APWG) is an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing. The organization provides a forum to discuss phishing issues, define the scope of the phishing problem in terms of hard and soft costs, and share information and best practices for eliminating the problem. According to the APWG, the average phishing operation nets a 5% return on email spoofs. The percentage is alarming considering millions of addresses are included in a single phishing expedition. If a phisher gets 100 answers to his spoof and successfully scams each one for $100, it’s $100,000 easily made.

The demographic responding to phishing scams run the gamut from the overly trusting elderly to college professors too busy to think twice. As Dave Jevans, Chairman of the APWG explains, many instances of phishing victimization are the result of sheer coincidence. He uses the example of a consumer applying for credit with the local bank. The next day the consumer finds a spoofed email in his inbox and thinks it is related to his credit application. Acting dutifully, he provides his personal information.


While there is a great need for consumer education, the responsibility for preserving consumer trust falls to the corporations themselves. There are things that companies can do today to greatly minimize the effect of phishing, spoofs and spam.

“The APWG is seeing a huge increase in the sophistication of tricks being used to fool users into thinking that they’re going to a valid website. We’ve been seeing a lot of advanced Java scripts that effectively hide the real location of the server. Basically everything you can do to test that you’re really on a valid website will not provide any indication that the site has been spoofed. It’s very difficult for people to detect. In the last six weeks, the APWG has seen two different technologies deployed that effectively create web bars in your browser. Over the last week we’ve also seen the use of secure websites with certificates, displaying the padlock and the look of a secure connection. Of course it’s a secure connection to a phishing site, so they’re upping the game quite a bit,” says Jevans.

What’s a company to do?