FTC on Phishing: Education is a Key Tool
The FTC has released a report on a Roundtable discussion on Phishing Education held April 1st 2008. Yes, at first I was suspicious that this might be a hoax...
The panelists confirmed what I and many of my antiphishing working group colleagues have said for some time: phishing is mostly about social engineering and little about technology. It's good news that the antiphishing community is rallying around this theme, and even better that they point to ISPs and others who use redirection and landing pages as "teachable moments" for phishing education as role models.
How does this work? Typically, once a domain or web site has been identified as a phishing site, ISPs, registrars, etc. take down that site. In many cases, the ISP, hosting company, or even a DNS operator wil have an opportunity to redirect a usr's request for that page to an alternate web page called a landing page. Instead of having this landing page say "URL not found", the education pages says, "The web page you attempted to visit was suspended because it was a phishing site. Lucky you, we've disabled that site. Since you were tricked into visiting here, please read the following information and learn how to avoid doing this again. You may not be lucky twice..." The APWG working on just such a redirect page. Some ISPs and organizations have developed their own (1). IMO, this is a much better service to the community than the self-serving practice of error resolution.
An important part of the education provided at such pages and in training videos and sessions elsewhere is to emphasize how adept phishers have become at personalizing phish emails. Phishers commonly gather information to make their email impersonation of a brand like eBay or a bank look very real. This is old news. They now gather information from browser histories, public databases (WHOIS), etc., to personalize the email. Increasingly, you, the average Internet user, will receive email from "familiar faces". Not just any bank, but your bank. Not just any retailer, but retailers whom you've opted-in to routinely receive emails with sales and special offers. Phishers also target individuals who are likely to have considerable personal wealth: called spear-phishing, the attacker will target all the officers and board members of a corporation. These are the "whales" in the sea of targets they phish. Owners and officers of mall and medium businesses are just as vulnerable as large corporations, perhaps more so since they not have staff, technology and expertise in-house to educate and protect them. Discussing ways to make users aware of these and other new munitions in the phishers' arsenals is a very useful exercise and the FTC should continue to foster this sort of dialogue.
The FTC report itself is relatively brief, essentially a meeting report. But the messages highlighted in the summary are worth reading. Look for the report at http://www.ftc.gov/reports/index.shtm.
Archived at http://www.securityskeptic.com/arc20080701.htm#BlogID698
by Dave Piscitello
