Fighting Phishing

I was looking forward to writing more on Sales 2.0 this week. Selling is something that I am keenly interested in, but it will have to wait for another time. A call from a client set me off in another direction.

My client called to talk about phishing and what they are doing to combat it and help their customers. I am sure you already know that phishing is a technique that attempts to get unsuspecting Internet users to hand over sensitive information such as bank account and credit card numbers. The thieves or cyber-pirates who conduct phishing attacks use the account numbers to steal money and sometimes whole identities.

Doomed to Fail?

At first blush, it sounds like a good thing to take on phishing on behalf of your customers, and you could even say it is noble. Nevertheless, a little reflection made me think this nobility was like the charge of the Light Brigade — noble, but also doomed.

I went to my files and dug up a column I wrote in 2005 about spyware and adware — back then, those were the problems of the day. These rogue programs took over browsers and redirected them; they also inserted new start pages and sent a continuous stream of information about where a person has been in cyberspace back to a central group that harvested the information. Eventually, the free market figured it all out: the firewall was born and became standard equipment for PCs.

Individual action in the face of a problem like this — a free market approach — has a place, but it is not always wise for any single company to take on such a diffuse threat. The problem with this approach is that it is, at best, temporary.

Like any arms race, one side reacted to the threat and the problem went away only to spring up in a different form. The solution did nothing to dislodge the notion that rogue groups could roam the cyber-frontier extracting information from people for nefarious aims. As a result, the spyware and adware problem morphed into something more serious — phishing.

Zero Tolerance

In social science, there are numerous examples of how when small crimes or activities on the edge of being crimes are left alone they breed a complicit environment where it is easier to perpetuate a larger crime.

The most famous law enforcement effort I am aware of involved the New York Police Department adopting a zero tolerance program for small crimes like people hopping the turnstiles in the subway to avoid paying. When zero tolerance kicked in, the incidence of all manner of small crimes went down as well as larger crimes, too.

Back to spyware and phishing. What was needed at the time — and is needed today — is legislation that makes it a crime to steal a person’s confidential information the way phishers do; in other words, there should be a zero tolerance for cyber-piracy of any kind.

There is a bill, the Identity Theft Enforcement and Restitution Act, making its way through Congress right now cosponsored by Sens. Patrick Leahy, D-Vt., Arlen Specter, R-Pa., and Richard Durbin, D-Ill., that might do some good, and I recommend you look it up.

On the Rise

Perhaps more important to getting something done today is the Anti-Phishing Working Group (APWG), which tracks and reports on phishing and offers some solutions to help protect individuals.

Some of the information that comes out of APWG is not that encouraging, and according to them, phishing attacks are on the rise. In July (the most recent statistics I can find), there were 30,999 unique phishing sites identified and 126 different brands were compromised. Those brands included PayPal, Amazon, Bank of America and other high-volume online transaction-oriented businesses.

Also included in this list are most of the get-rich-quick e-mails you get these days from the national lottery of some foreign country and people seeking help to launder a few million dollars they happen to have lying around. The good news is that the average life expectancy of a phishing site was 3.6 days, an all-time low.

Decline the Invitation

One of the most difficult parts of fighting phishing is that it’s a bit like the carnival game where you smack an alligator head only to see another spring up elsewhere. It takes almost no time to launch a phishing site, and operators can move them from one unscrupulous or dumb ISP (Internet Service Provider) to another in the blink of an eye. With a typical phishing site up for less than four days, it is hard to eradicate the problem. It’s also why adding a site to a blocked sender’s list doesn’t work well.

APWG advises people to never fill out forms online when invited to do so, even if the invitation seems to come from a trusted vendor. Moreover, vendors have more or less adopted a policy of not sending out e-mails asking customers to do so, therefore a clear tip off that a phishing scam is up is the invitation itself.

If you get phished, follow the simple directions from the APWG site:

• Create a new e-mail addressed to [email protected].
• Drag and drop the phishing e-mail from your inbox onto this new e-mail message.
• In Netscape, drop it on the “attachment” area.
• Do not use “forward” if you can help it, as this approach loses information and requires more manual processing. The exception is when you use the Web interface to Outlook: in that case, forward is the only solution.

Phishing Is Bad Enough

So what’s the bottom line for CRM? Just this: You can’t build a futuristic on-demand economy if transactions can be counterfeited by pirates. Attempts by individuals, or even individual companies, are doomed to fail because these attempts are simply battles in an arms race. Phishing is bad enough — I for one don’t want to see what comes next.

It’s time for companies to stop hiding and thinking the problem will go away. It’s time for companies to stop worrying that admitting there is a problem will lead to customers thinking the Internet is unsafe. It is unsafe, and most people already know this. It is time for all of us — individuals and companies — to band together and demand laws that will protect us when online.

The Leahy, Specter and Durbin bill is a good place to start.