According to yougov survey results out today 46% of the UK population don’t have a clue what phishing is. The good news is that only about 2% of UK residents have fallen for a phishing scam, but that 2% equates to millions of people demonstrating why our inboxes are still bombarded with spoof emails.
So what can be done to stop the flood of spoof emails? The first and easiest is if you receive an email that you’re not sure if it’s a spoof or legitimate is to forward it to [email protected] or [email protected]. Within minutes you’ll have a reply confirming if your email is genuine or not, in addition if it is a spoof the fake website will be entered into an international database of known scam websites. From then on anyone with the latest browsers will be warned with a red address bar that they’re viewing a spoof site. Also anyone with the eBay toolbar will be warned if it’s a fake eBay or PayPal site. Currently only 5% of people who recognise they’ve received a phishing email forward it to the company it purports to come from alerting their anti-phishing taskforce. The two fold step of identifing new phishing sites and measuring the scale of phishing can only take place if more users forward the spoof emails they receive.
The next important step is the signing of emails with Domain Keys. Companies such as eBay and PayPal have already started to insert a signature which users don’t see within all emails they send to customers. Yahoo are the first ISP to start reading these signatures and will verify that the digital signature is valid and that the email originated from the company it purports to be from. If the domain key doesn’t match the email can be junked as a spoof. More ISPs will start implementing Domain key checking within the next few weeks.
There are also plugins available for many email readers such as Outlook and Outlook Express such as Iconix (which is free!). These programs perform similar checks to those ISPs will perform including domain key verification, and they visually mark emails that are known to be authentic in the users inbox. If an email is not marked it could be a spoof email, especially if it’s from a company whose emails are routinely flagged with the company logo to show when they are known to be authentic.
Spoof and phishing emails won’t disappear over night, but steps are being taken to protect Internet users and stem the tide. The one thing that will stop phishing in the long term is when users stop falling from them. The major incentive is it that only takes a few users each day to fall for a phishing email netting the fraudsters with a couple of hundred pounds – in countries such as Romania that’s well above the average wage so there is a huge temptation to turn to crime.
In the mean time PayPal have some tips on how to spot a phishing email:
Top tips to spot a phishing email
1. Generic greetings. Many spoof emails begin with a general greeting, such as: “Dear PayPal member.” If you do not see your first and last name, be suspicious and do not click on any links or button.
2. A fake sender’s address. A spoof email may include a forged email address in the “From” field. This field is easily altered.
3. A false sense of urgency. Many spoof emails try to deceive you with the threat that your account is in jeopardy if you don’t update it ASAP. They may also state that an unauthorised transaction has recently occurred on your account, or claim PayPal is updating its accounts and needs information fast.
– Michael Barrett, PayPal Chief Information Security Officer