Something Phishy In Your Inbox?

DQC News Bureau
Updated On
New Update

The most effective way to combat phishing would be to educate users about identifying spam emails and refrain them from giving away personal info.


Did you ever receive an email where thinking that it was from a genuine

organization, you ended up giving your personal information? This is phishing

for you, which is also referred to as 'brand spoofing'. It is the act of

sending an email to a user, falsely claiming to be an established legitimate

enterprise. It is in an attempt to scam the user into surrendering private

information that will be used for identity theft.

The e-mail directs the user to visit a website where they are asked to update

personal information, such as passwords, credit card number and bank account

numbers, which the legitimate organization already has. The web site, however,

is bogus and set up only to steal the user's information. Government, banks,

financial institutions and online auctions/pay services are common targets of



addition to the spoofed credentials, the email is usually HTML-based. To an

undiscerning eye, the email bears authentic trademarks, logos, graphics and URLs

of the spoofed company. In many cases, the HTML page is coded to retrieve and

use the actual graphics of the site being spoofed!


Because it is relatively simple to make a website look like a legitimate site

by mimicking the HTML code, the scam scores on people being tricked into

thinking they were actually being contacted by a legitimate company. They

subsequently go to its site to update their account information.

Phishing today is the fastest-growing segment of spam being sent worldwide,

victimizing both legitimate online companies, whose brands are being hijacked

and customers who unwittingly provide their personal information to criminals.

Educating customers about phishing

Can the phishing war be won? Customers could be educated not to trust these

emails, but phishers are getting more sophisticated, and emails more convincing.

Although education and awareness remain the important tools, it is not going to

be enough to combat this menace.



It is hence desired that banks and financial institutions, which are

typically targets to phishing, take control and protect their customers. There

are techniques that banks can deploy such as SSL/TLS protocol that secures the

link between customer's web browser and the bank.

Strong Authentication or One Time Passwords (OTP) are some more ways of

protecting customer identities. There are other tools, which users can deploy

based on proven behavioral technology. They help analyze the characteristics of

a web page in real time to determine if it is a spoof site and to deliver a

browser-based warning to consumers before they visit the fraudulent page.


It is the lack of awareness within the user fraternity that increases the

phishing threat. Basically the idea is that bait is thrown out with the hope

that while most will ignore the bait, some will be tempted into biting.

Securing enterprises from attacks

Solution providers can follow these two steps to safeguard their enterprise

customers from phishing attacks: 

Adopt multi-layered approach: The only effective way to provide

long-term protection against spam is to take a multi-layered approach. This

combines layers of signatures, a variety of heuristics and basic blocking

techniques. Ideally, combinations of heuristic techniques (whether context,

neural networks, Bayesian or algorithm-based) should be used for maximum

detection and minimal false positives-which are emails incorrectly identified as



Deploy filtering in phases: As enterprises increase the number of spam

filtering mechanisms they have in place, the unintended consequence is that

spammers are now sending out even more messages in order to make a buck. It is

recommended to deploy filtering technology in phases to achieve a more precise

implementation that filters spam specific to department needs and reduces the

risk of false positives.

Tips for everyone


DEFINITION: Sending an email pretending to be an established legitimate enterprise to scam the user into surrendering private information that will be used for identity theft

RECENT DEVELOPMENTS: 1. Formation of Phish Report Network, to immediately and securely report fraudulent websites to a central database. Initial participants are Microsoft, eBay, PayPal and Visa. 2. The Anti-Phishing Working Group, a pan-industrial and law enforcement association, focuses on eliminating fraud resulting from phishing and email spoofing


PROVIDERS: 1. Deploy filtering technology in phases to achieve a more precise implementation that filters spam, specific to department needs. 2. Take a multi-layered approach that combines levels of signatures, a variety of heuristics and basic blocking techniques1

1. Don't respond to suspicious emails. A response only confirms the

accuracy of your email address and may result in even more spam.

2.  Don't click on the link asking to be taken off the sender's list
in a suspicious email. Senders often use this as a ploy to confirm the

recipient's address, to send more spam.

3.  Never submit your credit card or other personal information to
non-secure websites or even within pop-up windows. There should be a locked

padlock icon that appears in yellow, or in a yellow box, on the bottom bar of

the order form Web browser.

4.  Use spam filtering or spam-blocking software.

5.  Do not send your email address through chat rooms, instant message
services or Internet bulletin boards and newsgroups.

6.  Do not give out your primary email address for online registration or
on e-commerce sites. Create another free email address to use more publicly.

7.  Be wary of clicking on links in e-mail messages. Links in phishy
e-mail messages often take you directly to fraudulent sites, where you could

unwittingly transmit personal or financial information.

8. Even if the address bar displays the correct Web address, don't risk
being fooled. There are several ways for con artists to display a fake URL in

the address bar on your browser.

9. Type addresses directly into your browser or use your personal bookmarks to
update your account information or change your password.

Sunil Golani is Deputy GM, Technology Services, Ontrack Solutions