When I was 8 years old I went on my first fishing trip with my grandfather. He was an avid fly fisherman and would spend hours lazily flicking his line into the pools and eddies of rivers inSouth Africa’s Drakensberg mountains. I had a great time for the first hour or so, after which I posed a justified question, “Grandpa, this is too difficult, when are we going to catch a fish?” to which my grandfather replied, “If it was easy, they would call it catching, not fishing”.
Phishing attacks are growing at a tremendous rate. The UK Cards Association recently released a report comparing fraud losses from January – June 2012 with the same period in 2011. Online banking losses have increased 28% year-on-year. UK Cards offered some explanation quoting the fact that phishing attacks had increased by 199% over the past 12 months. The only reason I can think of why phishing attacks continue to rise is because fraudsters are still catching victims. Phishing is still a viable form of credential harvesting providing a meaningful return on investment for fraudsters.
How long will it be before consumers are either knowledgeable enough or vigilant enough to avoid falling prey to such attacks? Beyond the work being done by banks to educate their customers, there are some amazing resources available on the internet where the general public can go to learn about the risks of phishing.
The Anti-Phishing Working Group has a wealth of information on how to avoid being phished. Get Safe Online has created a user friendly video on how not to become a victim. In fact, you don’t have to go too far to find more great advice on how to protect yourself. Let’s not forget, there is a level of responsibility and accountability that we all have to protect ourselves.
Do not fall into the trap of thinking that mitigating phishing attacks is something your bank should be doing for you. Banks certainly spend millions each year on trying to reduce the effect of phishing but this is largely to reduce the fraud losses they are liable for. There are other forms of harm that can be inflicted on us as individuals that go far beyond a bit of money being stolen from our bank account.
A successful phishing attack is the first step in full identity theft. Please understand that when you hand over personal details to a fraudster, it allows them to explore new avenues of identity theft. If you submit your date of birth during a phishing attack for example, it is fairly simple for a fraudster to write a script that sends you a Happy Birthday email that then continues to extract more data from you. With enough time and focus, a fraudster can build up an entire identity profile of a target and eventually start applying for credit products in their name, opening bank accounts or other services all using your details. This has consequences for people in the real world.
So what can be done?
Well, consumers should be doing more to self educate themselves on the dangers of the Internet and equip themselves with knowledge of how to protect themselves.
Businesses should be tackling this on two fronts; reactive and proactive. A reactive strategy should involve a clear policy on what to do if a customer’s details are found to have been compromised. Do you contact them? Do you place their accounts on a watch list? Do you block access through digital channels? Layering a risk based approach together with policies would help identify the appropriate measure to take. The proactive strategy would be to further educate your customers and subscribe to an anti-phishing service that helps alert your business to attacks targeting your customers.
To date, RSA’s Anti-Phishing Service has shut down more than 750,000 malicious attacks for customers and in doing so help to provide early warning systems to customers about potential compromise of credentials.
****This blog was contributed by Richard Booth from RSA’s Identity and Data Protection Group.****