Saturday, March 21, 2009

Phishing Scams

I ran across a very helpful article in the December, 2008 issue of Scientific American, link here, on how to avoid phishing scams. By Lorrie Faith Cranor, "How to Foil 'Phishing' Scams; Understanding the human factors that make people vulnerable to criminals can improve both security training and technology."

Most OOTJ readers will know that phishing are e-mails set up to look like legitimate communications from, say, a bank, your IT department, or E-bay, all encouraging you to input such valuable data as your credit card number, social security number, bank account number, or passwords. But I was surprised to read that phishers also pose as business surveys, and as legitimate charities. I did know that just opening an e-mail from a phisher could load malware onto my computer -- sometimes setting up tracking software that can track my keystrokes and thereby send to the phishers all the information that I may be too clever to send them myself.

And one trick I did not know was to look at the URL and/or e-mail address of the sender -- you can hover your mouse over any link they offer and see if it matches what the type on the screen says. Especially look at any links they want you to follow (as opposed to links that supposedly show how legitimate the e-mail is). You can carefully parse the URL to see where it comes from. Look at the material between the http:// and the very first / that follows it. The last material there tells you the real identity. So, the link for you to go and clear up that confusion about the buyer who insists they sent you money and never got the goods SAYS http://customerhelp.ebay.com/ but when you hover the mouse over it, you notice at the bottom of your screen:

http://customerhelp.ebay.com.hookthefool.ma.us/

I encourage you to read the article completely, for which no subscription is needed. But among the sadder news they have is that e-mails you might send your patrons to warn them about phishing are less likely to be read than phishing e-mails themselves. The author took this piece of information and used it to build a learning tool. They built a fake phishing e-mail that zinged readers. After being "hooked" and told they had been caught, readers were then educated. Testing showed the readers were much more likely to read and retain the material, avoiding phishing e-mails even a month later in their test! This compared very well to a control group who read the same material, and fell for the phishing e-mails a month later. Expanding this finding, the author's group eventually developed a game which teaches users to avoid phishhooks, and when the player gets hooked, explains what went wrong. The interactive learning tool seems to work even better than the original "entrapment" and teach moment.

The author explains that she is part of a consortium that is working on a multi-prong effort to stop phishing. They are working to actually track and stop phishers -- very difficult. They are also working to educate users -- and this game is one option. The author has spun off her research and the game can be purchased. And the last prong is that the group is working on improving filters to recognize phishing e-mails and catch them before they reach users. All of these efforts are on-going, as the phishers become more clever. An arms race.

No comments: