OTTAWA — It’s as simple as keying in your personal information on what appears to be a legitimate bank’s Web site, but soon, your money is gone and, perhaps, your identity is stolen.
It’s called phishing, and according to industry experts at a conference in Ottawa in early October, there is
no silver bullet solution to this new global threat that lures in five per cent of people solicited.
Sponsored by Symantec Corp. and the Information Technology Association of Canada, two Symantec executives shared their vision and strategies for combating phishing, which, the experts warned has pushed North American borders to become a global phenomenon.
According to Ken Schneider, Symantec’s chief architect for the Network and Gateway Security Solutions Group, between 2001 to 2004 reports of phishing increased from eight per cent to 65 per cent. Predominantly done through e-mail, Schneider said spam has evolved over six years from initially being just text to now having criminal intent. It is estimated that phishing has cost banks and credit card issuers nearly $1.2 billion in damages in the U.S. alone.
The “”attackers,”” he said, are sophisticated and make their Web sites look almost identical to the legitimate sites, as they seek users secure banking or personal information through solicitation by e-mail. Unsuspecting users, for whatever reasons, are lured into giving up secure information and soon might be robbed, because they trust the sites. He showed an example of the legitimate Citibank (an American bank) Web site and a fraudulent one. To the untrained eye, they appear almost identical.
“”Unless you really check, you are not going to know,”” Schneider said. “”The money is now online and the phishers are going to get it.””
Saying that the fraud-base has seen an increase in Eastern Europe and Asia, he warned that phishing, if not dealt with appropriately, will trigger consumers to lose faith in e-commerce, crippling an industry and slowing technology.
“”We can build software to avert these things, but if people aren’t educated it makes no difference,”” Schneider said in an interview with Computing Canada following the conference. “”At the end, user education is the most important.””
Michael Murphy, Canadian general manager of Symantec Corp., said that e-commerce based Web sites are receiving 16 per cent of attacking traffic from phishers, up from four per cent in 2003.
“”These sites have your information,”” he said. “”Goodwill and naivete of the individual is what is being exploited.””
Murphy said there are three ways to tackle the problem: new and better technology, improving the people and the process and, he said, it’s important to ensure that best practices are implemented.
Best practices, he said, are as simple as changing your passwords often, configuring your e-mails to block spam, re-typing the links into your browser and making sure programs are updated.
Some of the well-known phishing examples highlighted at the conference included one involving the current U.S. presidential election. According to Schneider, some Americans received e-mails asking them to donate money to the Kerry-Edwards campaign, but the donations linked to a non-campaign site.
Canada isn’t immune to the problem, either. Following an IT meltdown in June, RBC dealt with an e-mail phishing scheme that went out to many customers asking them to enter their client card number in order to access their accounts.
According to a study conducted by Ipsos-Reid, 75 per cent of Canadians are concerned about identity theft, but only 20 per cent consider themselves “”very well informed”” about how to protect themselves.
Murphy warned people to get vigilant and educated.
“”Banks do not send e-mails asking for account information,”” he said.