Phishing attacks have reached a new height and it’s only expected to keep
increasing, according to Postini, Inc.
The email security company, which is based in Redwood City, Calif.,
reports finding 19,282,136 phishing attacks in July. That’s a 16 percent
increase compared to June.
”Clearly, we’re going to see more of this,” says Andrew Lockhart,
senior director of marketing for Postini. ”Phishing is still in its
infancy… If you’ve got the nerve for it and the talent for it, phishing
pays better than other types of spam. If you’re blasting out spam about
toner cartridges or herbal Viagra, maybe every sucker will part with 20
or 25 bucks. If you’re phishing, you’re looking at a potential payday of
hundreds of thousands of dollars.”
Lockhart points out that despite any increases, phishing attacks still
only make up about 1 percent of all spam. ”Plain old spam is just much
easier to do,” he adds.
Phishing is a scam in which the attacker, in an effort to pilfer personal
and financial information, sends out emails appearing to come from
legitimate e-commerce sites, such as banks. By duping the recipient into
handing over critical information, the attacker then steals the person’s
identity, taking money out of the bank or racking up credit card debt.
Steve Sundermeier, a vice president at Central Command, an anti-virus and
anti-spam company based in Medina, Ohio, says phishing is easy enough and
profitable enough that he expects it to keep growing at a high rate.
Actually, he says he expects it to increase 100 percent over the next
”They’ve got these Web sites crafted,” says Sundermeier, who notes that
many of these fake sites, which also are called landing sites, are only
up for a matter of minutes. ”To create a phishing scam, unfortunately,
is fairly easy. You’re not dependent on a key logger or some sort of
The Corporate Side of the Issue
Ken Dunham, a senior engineer at Verisign-iDefense Intelligence based in
Reston, Va., notes that as phishing continues to worsen, IT managers are
increasingly put into a position to protect their end users from it.
Both Dunham and Lockhart say IT organizations have an obligation to train
end users how to protect themselves. While phishing attacks generally
don’t affect a company directly, the company’s ‘family’ of workers are at
risk. And teaching employees to beware of phishing scams is a natural
part of teaching them how to beware of spam, viruses, Trojans and
malicious Web sites. It just all fits together.
”We all know that if you do your user training, the main thing is about
attitudinal change,” says Dunham. ”It does change the approach that
people take to their life online. You tell them not to click on
hyperlinks. If they want to go to CNN.com, just type it into their
browser. Wouldn’t it be great if people get basic security training.”