Impact of phishing on the reputation of brands

Cloudmark announced the results of a survey conducted on its behalf by YouGov, which revealed that public confidence in consumer brands is dramatically affected by phishing attacks, with 42% of people surveyed feeling that their trust in a brand would be greatly reduced if they received a phishing email claiming to be from that company. The survey also showed that the majority of consumers feel that the responsibility for protection against phishing attacks lies with themselves, their service provider and the service provider that transported the phishing emails.

Phishing attacks are email scams that attempt to defraud consumers of their personal information, such as bank account details or social security numbers, by pretending to have been sent by a trustworthy entity such as a bank or credit lender.

The survey revealed that:

• 42% of respondents surveyed feel that the trust in a brand would be greatly reduced if they received a phishing email claiming to be sent by that brand
• 41% of those surveyed felt that their trust in a bank would be greatly reduced if they received a phishing email claiming to be from that company, compared to 40% who felt the same for an ISP, 36% for an online shopping site and 33% for a social networking site
• 26% of those surveyed feel that they are the party most responsible for protecting themselves from phishing attacks, with 23% believing their Internet Service Provider (ISP) or email service provider is the most responsible and 17% thinking that the sender’s ISP and email service provider holds the greatest responsibility.

In addition to the YouGov survey, Cloudmark’s own research team today released results showing that Natwest Bank was the most phished brand in the UK during October 2007. The research was collected using Cloudmark’s user base, which consists of 260 million mailboxes. Cloudmark’s research also indicates that across Europe, the majority of unique phishing websites are created using the top level domain associated with the United Kingdom, .uk.

Not only are we seeing evidence of more .uk phishing URLs, but also a shift in phishing techniques. Vishing is a good example of this where the scammers use cheap VoIP call centre systems as the back end to their phishing attacks, which changes the whole dynamic of trust. The example we’ve seen on our database was a message attack that appeared to be a notification from the recipient’s bank requesting they ring customer services to deal with a problem. If the recipient makes the call, it gets routed to a cheap VOIP answering system, which may have been set-up on a compromised host. The system captures the user ID and pincode to sell on to the highest bidder, who then has full access to your account. All the while the call seems very genuine. The reassurance of speaking to an individual rather than working online will lead to many instances of consumers falling foul to such threats.