Security threats Toolkit

Survey: Nearly all phishing from forged addresses

Staff CNET News.com

Published: 29 Jun 2004 12:00 BST

Almost 95 percent of email fraud and "phishing" reported in May emanated from forged addresses, according to new research from the Anti-Phishing Working Group, which argued that emerging email-authentication standards could take the sting out of such attacks.

Phishing attacks trick people into parting with personal information by luring them to bogus corporate Web sites. Almost 5 percent of recipients of such emails disclosed vital information such as credit card numbers, account user names and passwords, leading to identity theft and financial loss, the report said. The past few months saw phishing emails emerging as a major threat.

The study, however, conducted by the Anti-Phishing Working Group with technical help from Tumbleweed Communications, showed there was only a 6 percent increase in new phishing attacks last month. May witnessed 1,197 new cases, compared with 1,125 unique attacks in April. Of the new attacks, 848 targeted the financial services sector.

"One Achilles' heel of phishing, and other related email threats like spam and viruses, is the reliance on forged 'from' addresses to hide the sender's identity," APWG Chairman Dave Jevans said in a statement.

Despite varying specifications, several evolving technologies designed to provide verification of an email sender's identity can prevent such fraudulent mails from reaching customers.

Several top Internet providers, including Yahoo, Microsoft, EarthLink, America Online, British Telecom and Comcast, formed an alliance last week to push for new technical guidelines to fight spam mails. EarthLink is already working on putting anti-phishing software in place.