Phishing, Spoofing and Putting the World to Rights

I was driving in my car last weekend and had my father as my passenger/sat-nav/in-car entertainment (read: "putting the world to rights"). He mentioned to me that he was getting a lot of spam from banks telling him that his account had been put on hold and that he needed to log on to verify his identity. Luckily he deleted those emails because despite regularly getting viruses on his computer through clicking on random internet popups (“Your machine is infected, click here to fix”) he’s at least savvy enough to know that he doesn’t have an account with the purported senders. But what about those people that do? How many of them click on the link and surrender their details?

Briefly back to the words of my father “I’m getting a lot of spam from banks”. Well, not quite. What you’re actually getting is phishing email that’s spoofing the banks identity. It’s not particularly targeted phishing but reasonably clever nonetheless and something that led to UK consumers & businesses losing nearly £400 million in 2012 making us one of the most heavily phished countries in the world.

I’m not going to delve into too much detail on the attacks so if you want to read about how to spot a phishing or spoofing email, see Lauren's blog post. I will briefly touch on the internet security popups that I mentioned earlier; the UK’s fraud prevention service estimates that £30 million was spent on such “scareware”. That must equate to a huge amount of victims, given that they usually ask for only a small amount of money.

I’ve already mentioned “phishing”, “spam” and “scareware” and there are many more terms that are banded around but I wanted to take a few moments just to clarify the differences between phishing, spoofing and spam.

Spam is officially unsolicited bulk email, think the equivalent of junk mail that gets thrust through your letterbox and you put straight into the recycling pile. Spam is annoying but it’s not really dangerous.

Spoofing is where a malicious email is sent under the guise of an official or recognised persona. Think email that looks like it’s from your bank, favourite grocery store or online game. Spoofing by itself is not an attempt to steal valuable information from you but to make you do something like visiting a fake greeting card website which installs malware on your computer, steals your email address and all your email contacts and sends them email from you with the same link in it.

Phishing is an attempt to get you to surrender valuable personal information and is often used in conjunction with spoofing to convince you to surrender it. The example we all recognise is an email from our bank that says there’s been a change in procedure that requires you to confirm your password. You visit the site which they’ve created to mirror the banks login page and try to log into your account. What you’re actually doing here is surrendering your bank login details to the phishers. Think logically and you'll see that this type of attack can apply just as easily to social media, gaming, even grocery shopping and high street retail. So much of our life is online that our banking and personal details are everywhere.

To quickly recap; phishing is not spoofing but they’re often used together to convince you to surrender personal information.

Kaspersky analysed 50 million of its users and reported that 3,000 individuals were targeted every day in 2012 by a phishing attack compared to 1,000 a day in 2011. That’s a massive increase and RSA estimated that in 2012, phishing attacks in the UK earned £396,906,044 for the criminals, that’s over double what they made in the US where the figure stood at £158,269,792 ($245,476,572).

I’m going to be holding a webinar talking about how phishing (and spoofing) impacts marketers and their security teams on the 12th September. It’s open to all so please join me by registering here.