Why phishing is a business issue
John McCormick
Published: 20 Oct 2005 15:15 BST
While there currently seems to be a nice lull in new widespread vulnerabilities and viruses, we can't say the same for phishing scams, which are still on the rise.
While phishing may appear to be a threat that primarily affects individual users, it also poses a major problem for businesses, both directly and indirectly. The goal of most phishing attacks is to obtain personal information from an individual.
However, some scams are beginning to target business credit information — companies are often a better target because they have more money. Businesses are accustomed to paying an invoice when they get it without doing much research. In fact, this is an old scam: Just mail out a bunch of invoices using a professional-sounding name, and many companies will just send a check. This means that even seemingly harmless information about billing cycles and sample invoices can pose a threat.
As phishing increases, consumers are becoming more leery about giving out personal information online, which negatively affects confidence in online buying — just as companies are turning to the Internet for an increasingly significant proportion of their sales. This change in attitude is having a measurable impact. According to Forrester Research, 600,000 online banking users in the UK have turned their backs on online banking due to the phishing threat.
And according to BBC, 90 percent of American computer users have changed their online habits due to a fear of spyware. This includes changing browsers, dropping file-sharing software, and even avoiding some Web sites.
Given that number, how can this fail to affect online sales? Any way you look at it, this can't be good news for companies.
In an effort to fight back, California recently became the first state to actually make phishing a crime that you can sue over. On September 30, 2005, Governor Arnold Schwarzenegger signed the nation's first anti-phishing bill. As hard as it may be to believe, until the new law went into effect, there was little or nothing you could do about phishing — even if you caught someone red-handed trying to steal your personal information.
The California Anti-Phishing Act of 2005 finally made it a civil offence to take any action to induce people to disclose personal data by falsely representing themselves as doing so for a business. The law included fines of $2,500 for each violation, and it lets victims sue for actual damage or $500,000 per violation, whichever is greater.
But the new California law is too narrow in its definition of phishing, and it doesn't apply to malware-based phishing. In addition, it poses little if any concern for any attacker not based in the state. However, it may trigger action in other states, in much the same was as other pioneering California privacy laws have.
US Senator Patrick Leahy introduced a similar bill to Congress in February 2005, but the proposal has received little attention. Leahy's proposed bill would make it a federal crime even to create a fake business site that spoofs a legitimate business or to attempt to obtain personal information via email. The bill provides specific protection for parody sites and includes other First Amendment protection.
And while the number of new security vulnerabilities and serious virus threats has remained very low recently, two-thirds of companies have suffered "significant" financial costs associated with IT failures in the last year, according to ZDNet UK sister site ZDNet UK sister site silicon.com. One-third suffered damage due to direct phishing and hacking attacks.
John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles.
Did you find this article useful?
120 out of 255 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
Full Talkback thread
1 comment
-
An innovative technique, designed by a psychologis... Shira Steinberg
