Phishing is any attempt by attackers to steal valuable information by pretending to be a trustworthy party. Experts use the term ‘social engineering’ to describe an attempt to gain someone’s trust in order to gain an advantage. Most social engineering attacks have the intention of gaining access to money or credit, but they might also be used as part of blackmail schemes or to intimidate people. Perhaps the most common attack is for a criminal to impersonate a bank and obtain credit card numbers or bank account details.
Phishing relies on people trusting official looking messages, or conversations with apparently authoritative individuals, as being genuine. It is widespread and it can be enormously costly to people who find their bank accounts emptied, credit references destroyed or lose personal or sensitive information.
The use of electronic technologies to perform phishing attacks was described in the late 1980s, but the term did not become commonplace until the mid 1990s when a program called AOHell allowed users of the huge online company AOL to impersonate other people (including the founder of AOL itself).
Phishing became increasingly common as more and more people connected for the first time and began receiving official looking messages that looked very much like those sent out by genuine organisations such as banks, stores and government departments. What most of these users did not realise was that not only could email addresses be faked, but that electronic data can be easily copied – just because an email claims to come from your bank and has your bank’s logo doesn’t mean that it is genuine.
Phishing emails are often entirely indiscriminate. A phisher will create an email asking the user to get in touch with a bank or credit card company claiming that there is a problem with the account or that the bank may have lost some money. These sorts of messages make people justifiably worried and more likely to follow the instruction. The phisher will then include some plausible looking details such as the bank’s logo and address and then send it to millions of individuals. Among all the recipients, a few people will have accounts with that bank and a proportion of those people will click the link in the message, or telephone a number, which will begin the process of eliciting further personal information.
Spam is a consequence of the early Internet being developed by people who trusted one another. Most Internet email is moved around the world using the Simple Mail Transfer Protocol (SMTP) which defines a standard template of commands and formatting that allow different mail programs, on a huge range of computers, to understand one another. Protocols are used to specify a set of special messages that should be exchanged between computers to achieve a particular functionality, in this case the delivery of email.
SMTP was defined when the Internet had only a tiny number of users, so the designers of the original specification did not think there was any need for computers to authenticate one another, (i.e. there was no way of knowing if the message claiming to come from TrustedBank actually came from TrustedBank’s computers). This weakness would be addressed in a later extension to SMTP called SMTP-AUTH created in 1995. However, even where SMTP-AUTH is used, mail servers can still accept unauthenticated messages.
Spammers can attack a mail system by changing the information stored in email ‘envelopes’ which enclose the messages themselves. This is known as ‘spoofing’ and allows a spammer to disguise their actual address by writing new addresses for the sender (such as replacing their own address with that of TrustedBank) and the destination for receipts. Since SMTP servers do not perform any authentication, they simply pass on the email without checking that it originated with TrustedBank.
Simple spoofing is now being challenged by technologies that allow genuine senders to authenticate outgoing messages that can be checked by the recipient’s mail server; however only about half of all mailboxes have any protection against spoofing.
Provided a spammer has access to a fast network, or increasingly, to a network of compromised computers that have been infected with malware; spam costs the sender almost nothing. Although only a tiny fraction of users will respond to a spam message, sufficiently vast numbers of emails are sent that the rewards far outweigh the costs. It has been estimated that seven TRILLION spam messages, making up more than 85% of all email, were sent during 2011 alone. Such is the torrent of spam that not only do Internet service providers and companies have to buy far more bandwidth and storage than they will ever use, but that very profitable businesses have been set up to develop ‘filters’ that can identify and isolate spam email messages.
Other types of spam
Spam is no longer restricted to email, it is regularly sent via SMS messages to mobile phone users; in the UK millions of people are sent SMSs falsely claiming they are entitled to refunds on bank charges and missold insurance. Legitimate banks and insurers do not communicate in this manner and people who answer these messages might find themselves paying large amounts of money for ‘processing’ a non-existent claim. Spam is also found widely on social media and on website forum discussions where messages about the money that can be earned working from home often outweigh the genuine discussions.
Once again, this type of malware relies of social engineering to multiply – users of social networks are highly likely to click on links they think have come from friends and spread the infection.
So, no matter the source of the message, it pays to be wary. Always remember if it looks too good to be true, it is too good to be true. Just delete that message and move on.