PGP CTO Blog

"Phishing" is jargon for fraudulent emails that use "social engineering" to try to persuade you to give up important personal information such as an account name and password. "Social Engineering" is another bit of jargon for "con job." I think such jargon is confusing, glamorizes criminals, and divides experts from people who need their help. Although "phishing" is a wretched term, I'll continue using it in this article.

You probably know about phishing. I'm sure you've already been phished. Sadly, phishing looks like an authentic email from some company you do business with. I've heard of phishing attacks on eBay, Amazon, U.S. and U.K. banks, and a number of credit card companies. A phishing email says you must go to the sender's website and verify some personal information about yourself. It often hints at or threatens dire consequences if you do what you should do: delete it.

Phishing email messages look exactly like legitimate email messages. Attackers often copy a real message using the company's logo, color scheme, and format. The email message may even appear to have come from the proper email domain. Although everything looks right, it's completely wrong. Plus, the phishing email will include an embedded link or attachment that results in your sending financial or personal information to a bogus site.

Phishing messages are speculative, hence the name. The attacker is hoping the victim will be careless or naive and give up useful information that can be further used in fraud. The attacker casts a wide net and hopes some number of victims will respond. The core issue--the con, the fraud--is new to email, but not to the wider world. Phishing is the same security problem as a fake ATM that steals your account number and PIN. It's the same security problem as a con artist who calls you on the phone claiming to be your bank or credit card company.

Why is phishing a problem?
Phishing is a serious problem for a number of reasons. It attacks the core premise of the Internet. It makes it a hostile, nasty place for people that, if unchecked, may turn them away from its utility. It also is an attack on and a threat to the companies that use the Internet to serve these people. With phishing, how can you know when there is a legitimate problem with one of your vendors?

Phishing is hard to stop for the same reasons other Internet crime and spam is hard to stop. The problem is not finding the bad guys, it's finding the "cops" who can stop them. It's not that hard to figure out where phishing messages originate. I've gotten phishing messages and am a good enough sleuth to locate the sender's address. Even when there is a fake physical address, I can find the network provider that gives these people Internet access. The problem is not collecting the evidence, but finding an authority that can do something about it.

Educating users is the best solution
At PGP Corporation, we've been talking to our friends and allies about how to combat phishing. As I said before, this is a con. Con jobs rely on the naïveté of the victim. As one of my security friends puts it, "Phishing is a problem between the keyboard and the seat"-a human problem rather than a technical problem. This assessment is exasperating because it puts the blame on the victims. Although it's true that if people just stopped clicking on suspicious attachments or URLs these problems would go away, that's easier said than done.

Beyond trying to change everyone's behavior, a general solution is impossible. Yes, impossible. Phishing is a con, and there's no way to systematically prevent a con from happening. Heck, the shell game is a con that's so old we know people were doing it in Roman times, and yet people still fall for it today.

Technology solutions are available, but inadequate
Everyone seems to be working on solutions to email cons such as phishing. Most of these solutions are wholly inadequate and fall into two camps:

Solutions that protect you from people you already trust. Email gateways and signing systems are example of solutions that protect you from people who aren't out to con you. These solutions do defend established communications systems against intruders and they do prevent any attacks from morphing into scamming attacks. For example, a number of email viruses try to convince you the virus is coming from someone you trust. However, these solutions do not defend against the phishing problem: fraud coming from the ouside to the email populace at large.
Solutions that work if everyone in the world switches to them. Many of these same solutions also work if everyone uses them. The drawback here is practical. People resist change, and there are too many available solutions. As a consumer, I don't know which solution to adopt, and I don't want to start using something that isn't going to work until everyone else joins the club. No one, not even Microsoft, can force such a change.

Anti-phishing strategies for individuals
There are things people can do to make the situation better. The more you know, the more you can protect yourself. Here are some suggestions for people who receive email to protect against phishing attacks:

Always keep in mind that an email from a company, especially a company you do business with, is not necessary real. Be especially careful when a company requests financial or personally identifiable information.
Don't connect to company sites via embedded URLs or email attachments. It's easy, but it's not safe. If you think a request is legitimate, reach the website through a link you know to be real: via your address book, a browser bookmark, or a URL you type in by hand. Or use your existing account information to access a company's Web portal.
Do business with companies that digitally sign their email messages. Such products are easy for both senders and receivers to use and should be a common practice among companies that receive your personal and financial information.
Report phishing attacks to companies you do business with. The only way to help your fellow consumers is to help companies protect themselves. If you're in doubt about the authenticity of an email address, contact the company directly--using, of course, an email address you know is authentic.

Anti-phishing strategies for companies
Companies must be more rigorous in protecting their customers and making it easier to identify an authentic communication. Here are some suggestions for companies that send email to protect from being phished:

Use digital signatures and a corporate signing key when communicating private information with customers. Put your signing key on your website. It's not hard. Microsoft, Apple, Sun, and Cisco all use PGP to sign important messages. PGP may very well be the only thing they agree on.
Stop sending HTML email for private communications; use plain text instead. Don't put links in such messages. Yes, I know it's boring. I know it loses your fancy branding and marketing. But for such critical email, the alternative is exposing your customers to greater phishing risk.
Set up a spoof@ email address. It gives your users a place to send a suspected fraud. eBay did this, and it helped a lot. It also gives you a way to know you're being a victim of a fraudster faster than you would otherwise. It makes good business sense.
If you are a security expert, stop using terms like "social engineering," "phishing," and so on. Let's call it what it is. It's a con job. It's fraud. It's a crime. Everyone is stupid sometime, and taking advantage of people's stupidity is not clever. Let's stop pretending it is. There is power in plain language. There is power in one-syllable words and short, declarative sentences. People don't misunderstand you, and our goal is for people to understand.

Background Reading

Department of Justice, Criminal Division, "Special Report on 'Phishing'" [PDF: 110KB], March 4, 2004

Federal Trade Commission, Consumer Alert, "How Not to Get Hooked by a 'Phishing' Scam"

Office of the Comptroller of the Currency (OCC), Alert 2003-11, "Customer Identity Theft: E-Mail-Related Fraud Threats," September 12, 2003

Additional Resources
Anti-Phishing Working Group, an industry association focused on eliminating the identity theft and fraud that result from the growing problem of "phishing" and email spoofing: www.antiphishing.org

Internet Storm Center, a free service supported by the SANS Institute that collates information from more than 3 million intrusion detection log entries and provides data on the types of attacks being mounted against computers in various industries and regions around the globe: http://isc.incidents.org/

PGP News Feed