Oh phish! Caught in the Net
As a Nigerian national is arrested for phishing at least 25 HDFC accounts, Presley Thomas discovers we are sitting ducks for the thriving industry. GrapahicsUpdated: Feb 18, 2008 02:34 IST
You don’t have to wait in queues, you don’t have to deal with clueless executives and your time is your own. Online banking has a lot going for it. There’s just one catch — miss a trick, and you could get ‘phished’.
As more and more of Mumbai’s busy citizens opt to do their banking and credit card transactions online, a Nigerian national’s arrest in Surat on Thursday and Jitesh Kishan Gavit’s arrest from Mumbai’s western suburb of Nalasopara on February 8 — they have allegedly phished at least 25 HDFC bank accounts — send out a strong warning. Grapahics
With an estimated 35.4 million Internet users in India, we are a good market for phishers. Internet users here rank among the top social networking users, and global agencies that monitor phishing have sounded an alert to those hooked to such websites.
There’s more bad news. When it comes to hosting phishing websites — mirror sites that capture account details — India ranks third at 9.39 per cent, says the Anti-Phishing Working Group (APWG), a global pan-industrial and law enforcement association focused on eliminating fraud and identity theft due to phishing, pharming and email spoofing of all types.
The APWG report, which was released in November 2007, ranks China at the top with 24.21 per cent, followed by the US at 23.85 per cent. Russia, Thailand, Romania, Germany, South Korea, UK and France are other countries in the top 10 phishing list.
Internet users vulnerable
Internet users here are at high risk as the country is yet to have a dedicated agency that monitors cyber frauds, said Vijay Mukhi, president of Mumbai-based Foundation for Information Security and Technology, a private e-security firm.
Neither the government nor the information technology industry has taken measures to establish an agency that will monitor, track down and curb the growing number of cyber fraud cases in the country,” said Mukhi.
Gartner, Inc., a global IT research and advisory firm, reports that phishers are collecting personal data from social networking websites. Andrew Walls, research director for Gartner’s infrastructure protection group from Australia, said: “We are seeing phishing scams wherein personal data has been collected from online social networks such as MySpace and Facebook and then integrated into very personal and targeted emails.”
The mails sent to potential victims are personalised and seem credible. “The messages are more convincing due to the amount of personal information they contain,” said Walls. “The phishing message may be delivered through email, instant messaging, SMS, or a message on your social networking site (like a scrap).”
Specific India-based information from the Indian Computer Emergency Response Team, in its last report published in 2006, revealed that phishing attack against the e-commerce sector, which includes online retailers, auction sites and recruitment services, amounts to 76 per cent. The remaining 24 per cent of the attacks target banks and financial institutions.
Quick money, easy work
APWG’s latest report, published in January, reveals that it received reports of 28,074 phishing attacks and 23,630 phishing websites in November 2007.
Walls attributed the popularity of phishing to attractive profit margins. “The entire effort of building and distributing phishing messages can be automated, so the creation of thousands of phishing emails costs the phisher very little,” he said. So, if a phishing scam generates 50,000 messages and just one per cent of the recipients are taken in, the phisher has still defrauded 500 people.
Get secure, go public
The future of phishing will be controlled by the quality of security implemented by those targeted. “If fraud detection systems within a bank rapidly identify and stop phishing frauds, phishers will move to weaker targets,” Walls said.
Disclosing security breaches also helps. It educates consumers about the risk in online commerce, puts pressure on companies to improve security and gives governments an indication of the true level of crime. “Corporations must disclose security breaches to the public. This has been adopted in 38 (of the 50) states in the US and it’s yielding results.”