What is Phishing in Internet Security: Its Dangers and The Future
This post looks to address the issue of Phishing, a major topic in internet security for decades now. The Oxford Advanced Learners Dictionary defines the term Phishing as “the activity of tricking people by getting them to give their identity, bank account numbers, etc. over the Internet or by email, and then using these to steal money from them”. As simple as it may seem for a lame man it’s a major problem in the world today. Which we shall see as this paper unfolds. Everyone, as long as you own an email, use some kind of online shopping portal or exchange user information over the internet is exposed to the dangers of Phishing (Nitesh D., Billy R. and Brett H., 2009). The dangers of Phishing include but not limited to the following: money theft, information theft, identity theft, denial from access to email, the list goes on.
With mobile devices growing to be the access point for most individuals who want to use the internet or perform some kind of transaction it is now imperative that other forms of phishing that attack mobile devices be looked at in this paper. They include SMishing and Vishing (Ezer O. Y., Priscilla M. A., 2014).
Whilst there are numerous literature about the dangers and countermeasures of phishing very few have looked at the future of this menace; which is one of the issues this paper will look into.
This post aims to answer the following questions among other questions.
What is the current situation in regards to internet security, more specifically phishing?
What was the situation looking back 10 years ago?
What are the counter measures that have been used in the past against this threat and how effective have they been?
What role do employees and top management staffs in various companies have to play to protect their brand?
What support are the government and federal agencies around the world offering to the global internet community in their fight against phishing?
What will be the situation fast forward 10yrs from now?
Introduction and Background
This subsection will answer questions 1 – 3 of the questions listed in the summary of this paper above, subsequent questions will be answered.
Phishing is a fraudulent attempt to acquire delicate information such as credit card information, passwords etc. with the aim of using that information to steal money or perform some kind of harmful activity (Alkhozae M., Batarfi O., 2011). Social engineering techniques are the methods through which these criminals obtain the information. We have evolved from the times when face to face and voice were the social engineering techniques to deceive people. With technological advancements that the World Wide Web has provided, attacks can and are now made through a wider medium, Email. Here are some recent statistics based on email:
The Anti-Phishing Working Group (APWG), a global group supporting the fight against Phishing, reported that for September 2015 alone there were:
- Sixty four thousand four hundred (64,400) unique phishing websites detected.
- One hundred and six thousand four hundred and twenty one (106,421) unique phishing email reports, some of which are victims.
- Four hundred and two (402) brands, cooperates, targeted by phishing campaigns
These figures account for the month of September 2015 only, the cumulative annual report is more overwhelming and mind-blowing. APWG reports that it is now receiving twice as many reports of phishing as it did in the previous year. This suggests a growing problem given the fact that email has become a very important and dependable communicating tool in the world today.
Brief History of Phishing
Phishing has been in existence and causing damages right from around the year 1995 when American Online (AOL) users were first being scammed to giving out their passwords (Anthony E., 2007). America Online was the largest provider of internet in America. So hackers were bound to be found there as well as innocent online users.
These hackers began with generating randomized credit card details and opening AOL accounts, using these accounts to spam other users among with other things. AOL discovered this and blocked the random generation of credit cards.
They then moved on to using AOL instant messenger service and email system, posing as AOL employees and sending messages to users. Most times demanding the users to update their user information, and this way they stole user’s passwords and that is how phishing officially began.
From 2001 to 2003 it then evolved to the state it is today as phishers attacked online payment (phishing.org). Just about five (5) years was what it took to become this huge cyber crime activity. An amazing display of how powerful information technology is in taking things forward.
Fig 1. Phishing reports received in 2015 Jan – Sep
The figure above shows an average of 114,855 phishing reports every month. An alarming number surely, there has to be ways to combat phishing.
Countermeasures and their effectiveness:
It is very difficult to completely eradicate phishing but it can be reduced (Aryan C. S., Kiran P. S., Keshav G. T., 2013). There are various techniques to battle this cyber crime including educating users on the dangers and techniques used by cyber criminals.
Two literatures have suggested that a very effective solution to battling phishing is to make online users aware of phishing techniques and dangers (Aryan C. S. et. al, 2013 & Jyoti C. et. al, 2013). However, this solution does not seem to always be the most effective as these criminals, getting smarter by the day, are embracing the advancement of technology and moving into malware and pharming as means of stealing information.
Pharming and malware based kind of phising are more technical, they involve injection of code to the user’s server that causes the browsers of the users to behave in an abnormal way; for example visiting fake sites automatically. Phishers moved towards these methods because of online users became aware of their conventional techniques. Even though users still fall for the conventional techniques, for example new users; there is a reduction in the number of victims, the papers suggest.
Malware based phishing is one of the numerous phishing attacks that have been identified (Mehdi D. et. al, 2015). Mehdi et. al identified a total of nine (9) different phishing attacks. Back in 1995 when phishing started, there was only one kind of attack, 20 years down the line and we have 9; an average of 1 new attack type every 2 years. This suggests that by year 2026 there will be about 14 total attacks considering how fast technology grows day by day. Mehdi et. al also identified twelve (12) methods and techniques to confront these attacks. However, phishing attacks seem to be winning the battle (APWG report 2015) even though there are more counter measures.
A more technical approach to combat phishing include the use of antiviruses to block malware and anti-phishing softwares to detect the attack and prevent it before it hits, there’s also secure email authentication (Bergholz A. et. al., 2010) and a host of others like fake website detection techniques (Zahedi et al., 2015).
Legal actions:
Legally, the government of several countries including America and Nigeria (the most populous black nation) have introduced anti-phishing acts. America’s Anti Phishing Act of 2005 sentences anyone guilty of cyber crime activities to 5 years in prison (govtrack.us). While Nigeria’s cyber crime bill 2015 also has provision for punishing perpetrators (vanguardngr.com).
More current statistics about the situation of phishing globally:
Fig 1. Most targeted industry sectors 3rd quarter 2015 (APWG Trends report, 2015)
The figure shows that ISP’s (Internet service providers), financial institutions and payment services leading the chart on most targeted sectors in the industry. It clearly shows why phishers join the trade, to steal money from people.
Literature Review cont’d: One would expect Women to be more susceptible to these attacks considering their low level of technicality generally but the opposite is the case. A study showed that men are more susceptible to phishing attacks than women simply because men are more technically aware than women and turn out to be more comfortable on cyber space (Ezer O. Y., Priscillia M. A., 2014).
July | August | September | |||
United States | 54.29% | United States | 45.52% | Belize | 52.65% |
Belize | 26.28% | Belize | 37.25% | United States | 36.69% |
Belgium | 3.89% | Europe | 2.62% | United Kingdom | 0.97% |
Hong Kong | 3.11% | Belgium | 1.99% | Netherlands | 0.86% |
France | 1.48% | Hong Kong | 1.89% | Canada | 0.72% |
United Kingdom | 0.97% | United Kingdom | 1.13% | Germany | 0.69% |
Germany | 0.89% | Canada | 0.90% | France | 0.60% |
Canada | 0.85% | Germany | 0.85% | India | 0.52% |
Table 1. Countries hosting phishing sites 3rd quarter 2015
The United states and Belize topping the chart for countries with most hosted phishing sites.
The fight against phishers will be an easier win if corporate organizations and individuals are fully aware of the technologies that are available for them to fight with. Intel Security offers several products that can support Microsoft 365 in order to detect and fight viruses, worms, Trojans and other malicious software that might want to tamper with email and its content (channelinsider.com). If users are aware of these softwares and endeavour to use them we will have phishers sending harmless bullets and thereby causing more reduction in the number of victims affected by phishing.
While it seems that these softwares will do a great deal positively in the fight, other literatures suggest that phishers also evolve and target the psychological weaknesses of humans (Zhengchuan X., Wei Z., 2012) & (Fatemeh M. Z., Ahmed A., Yan C., 2015). By psychological weakness, the authors mean that human are logical beings and can controlled through their psyche to do something (like click a link or visit a fake website) they won’t rather do. The state of Phishing attacks by Hong Jason also suggests the same; and added that phishers are shifting to more selective attacks rather than mass attack and hoping to get anyone – spear phishing (Hong J., 2012). These spear phishing attacks are targeted mainly towards organizations and their employees in particular.
REVIEW OF A KEY PAPER
The advancement of technology and the internet which is a good thing however comes with associated dangers which are the driving forces to this research. Studies and research have shown that mobile devices will be the future of technology and internet (Walsh A., 2012). This paper’s main focus is about the study of phishing, where it is and where it will be some time from now. There is no better key paper than that of phishing attacks to mobile devices. This topic was well discussed in Ezer O. Y. and Priscillia M. A. 2014 paper titled Phishing, SMiShing & Vishing: An Assesment of Threats against mobile devices.
According to the paper, Phishing, SMiShing & Vishing all fall under social engineering: the act of manipulating victims with the aim of deceiving them to release confidential information that may harm the victims.
Phishing involves the use of online methods like emails and webpages. SMiShing on the other hand involves the use of SMS (Short Messaging Service) on mobile phones & devices. Vishing, which according to the research is the least form of attack, involves the use of voice, for example phone calls. The paper uses a survey on users, both men and women and came up with the following findings.
Evaluation/ Outcome
- The most prevalent form of mobile threat is phishing.
- Victims are either slightly aware or not at all aware of these phishing threats.
- Men are more susceptible to these threats due to their great extent of online know-how and high level of trust in online services.
- Phishing SMiShing and Vishing attacks always carry suspicious messages which have similar characteristics. Therefore in educating users, one of the best forms of reducing these attacks (Aryan C. S., Kiran P. S., Keshav G. T., 2013), the characteristics should be made known to them for their study and awareness in order to prevent future attacks.
- One of the many reasons why users still fall victims is because they still prefer the old fashioned way of handling security, forgetting that technology advances like wild fire and there is always a new way of doing things. So when users fail to update their security methods, they fall into these traps.
RECCOMENDATION FOR FURTHER RESRARCH/INVESTIGATION
Further research on this insightful paper can look at the geographical locations of phishers and how the global community can come together to set up a legal system that applies to all of cyber space to ease the application of legal devices on these criminals.
CONCLUSION
In conclusion, phishing is a danger to us all on the internet. The numbers of victims are increasing even though there are more technological methods to combat phishing. Studies have shown that technological methods cannot win the fight alone; the way people respond to what they see on the internet or messages on their mobile phones will go a longer way as most of the attacks begin by the click of a link. To summarize on the best way to tackle phishers, from the angle of users either company or individual, this paper is suggesting a simple watch word which is “Be careful of what you click”. This is because as our critical study from various papers, literatures and life stories show, both ignorant users and users with full awareness and with very good anti-phishing software still fall to these attacks (Optometrytimes.com). It all starts with the click of a link of some form. The future of this menace is clouded with mobile attacks, i.e through mobile devices, which suggests even more viral faster and numerous dangers.
REFERENCES
Oxford Advanced Learners Dictionary
http://www.oxforddictionaries.com/definition/learner/phishing, accessed Feb 2016
Nitesh D., Billy R. and Brett H. (2009). Hacking: The Next Generation. O’Reilly Publications, pp.145-151.
Antiphishing.org, (2015). Anti-Phishing Working Group (APWG) Official Website. [online] Available at: http://www.antiphishing.org/resources/apwg-reports// [Accessed Feb. 2016].
Ezer O. Y., Priscilla M. A. (2014) Phishing, SMiShing & Vishing: An Assessment of Threats against Mobile Devices. Journal of Emerging Trends in Computing and Information Sciences. Vol. 5, No. 4 April 2014
Anthony Elledge (2007) Phishing: A growing threat. GIAC Security Essentials Certification (GSEC) Practical
Version 1.4b, Option 1The SANS™ Technology Institute, 2007
ChannelInsider.com. www.channelinsider.com/security/intel-security-launches-demand-c. Accessed on Feb 2016
Zhengchuan Xu and Wei Zhang (2012) Victimized by Phishing: A Heuristic-Systematic Perspective Journal of Internet Banking and Commerce, December 2012, vol. 17, no.3
Jyoti C. R., Dahiya N. G., Monika R. (2013) International Journal of Advanced Research in Computer Science and Software Engineering 3(5), May – 2013, pp. 458-465
Fatemeh M. Z., Ahmed A., Yan C. (2015) Fake-Website Detection Tools: Identifying Elements that Promote Individuals’ Use and Enhance Their Performance. Journal of the Association for Information Systems Vol. 16, 449 Issue 6, pp. 448-484, June 2015
Mehdi D., Tole S., Mohammad D. J., D. S. (2015) An Introduction to Journal Phishings and Their Detection Approach TELKOMNIKA, Vol.13, No.2, June 2015, pp. 373~380
Aryan C. S., Kiran P. S., Keshav G. T. (2013) International Journal of Advance Research in Computer Science and Management Studies Volume 1, Issue 7, December 2013 pg.64-71.
Hong, J. (2012) The State of Phishing Attacks. Communications of the ACM, 00010782, Jan 2012, Vol. 55, Issue 1
WARREN, E., JUSTICE, C. and SUPREME, U., 2005. Legal, Ethical, and Professional Issues in Information Security.
- Satapathy, (1998) Law for Computer Misuse and Data Protection
Economic and Political Weekly, Vol. 33, No. 41 (Oct. 10-16, 1998), pp. 2639-2640 Published by: Economic and Political Weekly Stable URL: http://www.jstor.org/stable/4407262 Accessed: 23-03-2016 08:53 UTC
André B. Jan D. B., Sebastian G., Marie-Francine M., Gerhard P. and Siehyun S. (2010)
New filtering approaches for phishing email. Journal of Computer Security 18 (2010) 7–35 7
Govtrack.us https://www.govtrack.us/congress/bills/109/hr1099/text
Accessed on April 3 2016
At last, Senate passes Cyber Crime bill into law’, Vanguard, 5 November 2014, http://vanguardngr.com/2014/11/last-senate-passes-cyber-crime-bill-law/ accessed 3 April 2016.
Fatemeh M. Z., Ahmed A., Yan C., (2015) Fake-Website Detection Tools: Identifying Elements that Promote Individuals’ Use and Enhance Their Performance
Journal of the Association for Information Systems Vol. 16, 449 Issue 6, pp. 448-484, June 2015