Phishing threatens the security of the information of users and companies, which establish their activities through electronic commerce.
Phishing is ''a form of on-line identity theft which uses deceptive email messages designed to induce the people to whom they are sent to enter fraudulent sites where attempts are made to trick them in order to obtain private financial information such as, for example, credit card numbers, and names and passwords of bank accounts''.
Although most attacks are made on foreign financial institutions, they also happen here in Portugal. Here is part of an account of a phishing incident as related by a Portuguese financial institute: “(...) At the start of October several clients received email messages with a text inviting them to click of a link (shortcut) in order to confirm their access codes. This link gave access to a page identical to the portal (...), but this was a false one on which there were fields for entering system access codes.”.
This is, without doubt, one of the greatest current threats to the development of electronic commerce. As is the case regarding other aspects of network and IT system security, users should develop a “security culture” and should be aware of the characteristics of this fraud. Users should make themselves aware of what they should do to detect phishing and how they can limit any damage that they may suffer.
The Anti-Phishing Working Group (APWG), which has its web-site at http://www.antiphishing.org, is an excellent source of information on this subject. The APWG is a business association, which has the objective of eliminating identity theft and fraud resulting from the growing development of phishing and mail spoofing1. This organisation is dedicated to the discussion of matters related to phishing and to the evaluation and testing of possible technological solutions. The APWG also keeps a central archive of phishing attacks.
Among other activities, the group periodically publishes a report which analyses phishing activity trends with a summary of relevant information, namely the most used http ports, the number of active web-sites, the number of brands and business sectors most affected, geographic location of sites and examples.
The latest report was published in December 2004 and the following data are worth highlighting:
1. Number of active phishing sites
(Click to enlarge image)
2. Business sectors most affected
(Click to enlarge image)
In addition to providing this information, the Anti-Phishing Working Group web-site also gives other elements of interest to the consumer on, for example:
- how to avoid phishing schemes; and
- what to do if you have given away private financial information.
Other possible sources of information are banks, since many of them already supply information and recommendations on security, as well as the web-site of the Computer Emergency Response Team, at http://www.cert.pt/index.php?newlang=english, where you can find a variety of information on phishing and other matters.
1 Spoofing. From the term spoof, meaning to imitate the sender of a message or to simulate a web page in order to gain access to information. Spoofing is also applied to the use of email addresses belonging to other people to simulate a known sender and to make the receiver more confident about opening messages (Source: ABC of technologyhttp://www.abc-tecnologia.com.pt/ - in Portuguese).
Further information:
- Anti-Phishing Working Group http://www.antiphishing.org/
- CERT - UK http://www.cert.pt/index.php?newlang=english
Related information on ANACOM's website:
- Information society https://www.anacom.pt/render.jsp?categoryId=118259
