The Social Impact Of Phishing Scams

Published Date: 02 Nov 2017

Introduction

Phishing is one of the top cyber-crimes that impact consumers and businesses all around the world. It is the most common scams on the Internet. Phishing is known as the process in which someone attempts to obtain sensitive information such as usernames, passwords, social security number or financial information and personal information such as birthdates, name and addresses by masking themselves as a trustworthy or familiar entity. With social networking on the rise, people are sharing their personal information everywhere, and have no idea if a website is truly what it seems to be. Phishing scam is an important topic because it is no longer something that can only be done by hackers, but by anyone with internet access. A successful phishing attack can have disastrous consequences for the victims leading to financial losses and identity theft. In this report, it will be going to cover the use of Phishing Scams in the society and the potential impacts of the Phishing Scams in both current and future.

What is Phishing?

The act of tricking individuals into divulging their sensitive information and using it for malicious purposes is not new. Social engineering attacks have occurred on the internet throughout its existence. Before widespread use of the internet, criminals used the telephone to pose as a trusted agent to acquire information. The term "phishing" has origins in the mid-1990s, when it was used to describe the acquisition of internet service provider (ISP) account information. However, today the term has evolved to encompass a variety of attacks that target personal information.

The word "phishing" originally came from the analogy of early Internet criminals using email lures to "fish" for passwords and financial data from a large sea of unsuspecting Internet users. The use of the "ph" in this terminology has been forgotten about over time. It was most likely linked to hacker naming conventions such as "Phreaks".

This can be traced back to early hackers who were involved in "phreaking" – the hacking of telephone systems. The term was coined during 1996, by hackers who were stealing America Online (AOL) accounts. They were picking off passwords from AOL users. The first mention on the Internet of phishing was made in 2600 hacker newsgroup in January 1996, however the term may have been used even earlier in the popular hacker magazine called "2600".

Originally, phishing was identified as the use of electronic mail messages, designed to look like messages from a trusted agent, such as a bank, auction site, or online commerce site. These messages usually implore the user to take some form of action, such as validating their account information. These messages often use a sense of urgency (such as the threat of account suspension) to motivate the user to take action. Recently, there have been several new social engineering approaches to deceive unsuspecting users. These include the offer to fill out a survey for an online banking site with a monetary reward if the user includes account information, and email messages claiming to be from hotel reward clubs, asking users to verify credit card information that a customer may store on the legitimate site for reservation purposes. Included in the message is a URL for the victim to use, which then directs the user to a site to enter their personal information. This site is crafted to closely mimic the look and feel of the legitimate site. The information is then collected and used by the criminals. Over time, these fake emails and web sites have evolved to become more technically deceiving to casual investigation.

Recently the definition of phishing has grown to encompass a wider variety of electronic financial crimes. In addition to the widespread use of these fake email messages and web sites to lure users into divulging their personal information, we have also observed an increase in the amount of malicious code that specifically targets user account information. Once installed on a victim’s computer, these programs use a variety of techniques to spy on communications with web sites and collect account information. This method differs from the technical subterfuge generally associated with phishing scams and can be included within the definition of spyware as well.

The Use of Phishing

There are many different types of phishing scam techniques have been identified. Phishing technology is getting better and more advanced every day, user should have to basic knowledge about the different types of the phishing scams.

Email and Spam: The anglers might to the same e-mail to millions of users, asking them to fill in personal information. These details will be fishing for their illegal activities. Phishing with e-mail and spam is a very common scam. Most of the information has an urgent note, requires the user to enter the credentials to update your account information, change the details, and verify the account. Sometimes, they will be asked to fill out a form to access a new service through a link in the spam e-mail.

Web Based Delivery: Web-based delivery is one of the most sophisticated phishing techniques. Also known as the "man-in-the-middle", hacker lies between the original site and the phishing system. The phisher traces details of the transaction between legitimate websites and users. When the user continues to pass information, it is gathered by the fishermen, and the user doesn’t know.

-----------------------

Data Theft: Unsecured PCs often contain subsets of sensitive information stored elsewhere on secured servers. Certainly PCs are used to access such servers and can be more easily compromised. Data theft is a widely used approach to business espionage. By stealing confidential communications, design documents, legal opinions, and employee related records, etc., thieves profit from selling to those who may want to embarrass or cause economic damage or to competitors.

Instant Messaging: Instant messaging is the method in which the user receives a message with a link directing them to a fake phishing website which has the same look and feel as the legitimate website. If the user doesn’t look at the URL, it may be hard to tell the difference between the fake and legitimate websites. Then, the user is asked to provide personal information on the page.

Trojan Hosts: Trojan hosts are invisible hackers trying to log into your user account to collect credentials through the local machine. The acquired information is then transmitted to phishers.

Link Manipulation: Link manipulation is the technique in which the phisher sends a link to a website. When the user clicks on the deceptive link, it opens up the phisher’s website instead of the website mentioned in the link. One of the anti-phishing techniques used to prevent link manipulation is to move the mouse over the link to view the actual address.

Key Loggers: Key loggers refer to the malware used to identify inputs from the keyboard. The information is sent to the hackers who will decipher passwords and other types of information. To prevent key loggers from accessing personal information, secure websites provide options to use mouse click to make entries through the virtual keyboard.

Session Hijacking: In session hacking, the phisher exploits the web session control mechanism to steal information from the user. In a simple session hacking procedure known as session sniffing, the phisher can use a sniffer to intercept relevant information so that he or she can access the Web server illegally.

System Reconfiguration Attacks: modify settings on a user's PC for malicious purposes. For example: URLs in a favorites file might be modified to direct users to look alike websites. For example, a shopping website URL may be changed from "shoponline.com" to "shopenline.com".

Content-Injection Phishing: describes the situation where hackers replace part of the content of a legitimate site with false content designed to mislead or misdirect the user into giving up their confidential information to the hacker. For example, hackers may insert malicious code to log user's credentials or an overlay which can secretly collect information and deliver it to the hacker's phishing server.

Phishing through Search Engines: Some phishing scams involve search engines where the user is directed to products sites which may offer low cost products or services. When the user tries to buy the product by entering the credit card details, it’s collected by the phishing site. There are many fake bank websites offering credit cards or loans to users at a low rate but they are actually phishing sites.

Phone Phishing: In phone phishing, the phisher makes phone calls to the user and asks the user to dial a number. The purpose is to get personal information of the bank account through the phone. Phone phishing is mostly done with a fake caller ID.

Malware Phishing: Phishing scams involving malware require it to be run on the user’s computer. The malware is usually attached to the email sent to the user by the phishers. Once you click on the link, the malware will start functioning. Sometimes, the malware may also be attached to downloadable files.

Impact on Businesses

600

Phishing represents one aspect of the increasingly complex and converging security threats facing businesses today. The methods used by spammers have become more sophisticated, and spam is now increasingly combined with malware and used as a tool for online fraud or theft.

The damage caused by phishing does not only apply to monetary property alone. The fragile bonds of trust that organizations build with their constituents are shattered in the process. As people loss faith in the reliability of electronic communication methods, companies loss their customer base. In the case disasters, people can spend billions in preparation, to analyze weaknesses and improve recovery time, only to have thrust shattered by phishing attacks. This in turn causes a significant loss in money, resources and time.

The most obvious harm caused to legitimate businesses and organizations is the monetary damage that phishing causes. In 2003 alone, it was estimated that phishing caused approximately $1.2 billion in direct financial loses to US Banks and credit card companies. Indirect losses to businesses are much higher because they include customer service expenses, account replacement costs, and higher expenses from online services due to a decrease in use caused by lack of trust in data security. This lack of trust towards online services provided by the organizations is understandable.

A stereotypical phishing e-mail contains some sort of statement from the phisher, claiming to be a legitimate business asking the user to update or confirm their information in the system. Currently, millions, if not billions of e-mails use this guise. Therefore, a regular person would most likely consider an e-mail matching the description above to be a phishing attack. The problem arises when businesses do not follow good e-mail practices and actually request the information through an e-mail or provide links for the customers to click on. These e-mails may confuse customers and cause them to either delete a legitimate e-mail or get into a bad habit that will make users more likely to respond to a phishing attack. Many corporations and banks alike still have not changed their policies to be less confusing for their customers. At the time of publication of [16], American Express had developed a reputation for sending confusing e-mails to customers.

Although consumers are the main targets of phishers, a phishing attack can damage the reputation and credibility of the affected business, putting brand equity at risk and leading to significant costs. Smaller businesses, meanwhile, may be more directly at risk of falling victim to email fraud, particularly where the corporate accounts are controlled by one or two people who may not have a great deal of technical knowledge. While this is less likely with larger organizations, it is clearly preferable for employees to be protected from fraud attempts arriving in their inboxes via the corporate network.

It is therefore important that businesses use an integrated, robust solution to defend their email gateway from spam such as phishing attacks and the many other varieties of email-borne security threat.

Impact on People and society

600

The impact of phishing is far more insidious than just an invasion of privacy. Phishing is used to compromise computer security through social engineering. It can be used to steal information, disrupt computer operations, steal money, ruin reputations, destroy important information or feed the ego of an attacker.

So when it comes to the people and society, phishing scams are really damaging the internet. You can always find some scams in your junk mail folder or ads on the Facebook and twitter that try to link you to a fake website. With the fast growing phishing technology and rising social networking, people are getting more risks when they are sharing the personal information online.

For instance, China has the most internet users in the world, there’re about 200 million of them use online shopping or online business. Online shopping has become very popular, because all user needs is a computer that is connected to the internet or even a mobile device. But it has been officially reported that there are 10 thousand phishing websites been created every day, 95% of them are auto-generated by hackers computers themselves. Traditional anti-phishing technologies are lacking of identifying those websites. Most people that use online shopping have encountered the phishing attacks or similar traps, 80% of the phishing websites are getting viewed by both buyers and sellers and 20% of the phishing are succeed. Just in last year, there are more than 60 million people were conned out of $5 billion dollar by the phishing websites in China. Figures like this are expected to be increase.

There are many online survey results for the phishing scams, for example, the survey conducted by YouGov in UK, which show that the public confidence is online business is significantly affected by phishing attacks. 42% of people that participated in the survey feel that their trust in brand would be largely decrease if they got a phishing mail claiming to be from that company. It also shows that the most users feel that Internet Service Provider or Email service provider is the most responsible for the phishing attacks.

The Future of Phishing

300

Based on historic trends in spam, phishing and spear-phishing attacks seen by SpamStopsHere, another type of phishing scam will soon emerge. Instead of forging a bank site, it will forge a common on-line shopping site such as Amazon.com or BestBuy.com (some amateurish attempts already exist). The spam will offer a very low price on a popular product from a reputable vendor. However, the link in the email will go to a forgery in which the spammer appears to take the order, but actually only steals the credit card information with corresponding address.

When this type of phishing scam does emerge, it could greatly impact on-line sales as no one will be able to trust email offers, even from his/her favorite stores.

A literal reading of the "Safe User Guidelines" above states that one should never place an on-line order based on an email offer. While perhaps a bit unrealistic and unnecessary today, it is the only safe way to avoid all phishing scams.

Fortunately, the banking industry is taking steps to make on-line banking and on-line commerce safer from phishing scams and other criminal activities:

• On-line banking will soon require authentication beyond just an account name and password. Possibilities include restricted IP addresses or fingerprint recognition. While the later might sound like a James Bond movie, fingerprint scanners will be common on keyboards by 2007. A Microsoft fingerprint scanning keyboard is available now for under $100.

• Single-use credit card numbers. Ever more banks now offer an on-line service by which you can generate single-use credit card numbers for on-line purchases.

As more authentication methods become common on the Internet, on-line banking and on-line commerce will become safer and more universal. Phishing scams will then decrease as they become less effective. In the meantime, users must take extra precautions and should follow the "Safe User Guidelines" above, and be very wary of clicking on links within emails.

It is clear that the number of phishing scams will increase in the near future as an unfortunately high number of users are deceived by them.

Conclusion

Phishing is a highly profitable activity for criminals. Over the past two years, there has been an increase in the technology, diversity, and sophistication of these attacks in response to increased user awareness and countermeasures, in order to maintain profitability.

Users have become more aware of phishing crimes and how to identify unsophisticated phishing sites. In response, criminals are using web browser vulnerabilities and obfuscation techniques to create phishing scam pages that are more difficult to differentiate from legitimate sites; thus users can become victims even if they are aware of phishing scams.

In reaction to increasing response from service providers and law enforcement, criminals are using increasing technical sophistication to establish more survivable infrastructures that support phishing activities. The key building blocks for these infrastructures are the botnets that are used to send phishing emails and host phishing sites. We have also observed specialized malware that can be used to target sensitive information, with an increased potential to cause damage. Malware is providing the means for criminals to create more effective phishing attacks that can target multiple businesses at a time. Malware is also evolving to acquire particular sensitive information (e.g., TAN numbers) that was created especially for authorizing online commerce transactions.

These trends are important to understand as they show the ability of criminals to recognize and adapt to increasing awareness of and response to phishing. By properly understanding the continual evolution of technical capabilities used by those who commit phishing and online financial fraud in general, more effective countermeasures and more secure online commerce systems can be developed.