Who Will the Phishers Spoof Next? Could Be You.

Neil Schwartzman
By Neil Schwartzman
Senior Director, Security Strategy, Receiver Services

Banking online is awesome. The ease, the convenience, the flexibility – what an improvement over bankers’ hours and drive-up pneumatic tubes! And you know it’s trustworthy the same way you find your bank building: look for the logo. Right?

Nope. This is the internet. Anyone can steal anybody else’s logo, set up a web site, and fool millions of people.

What a bummer.

Phishing and related crime is quickly eroding all of confidence in the safety of our personal and financial information online; things are getting worse in this area by the day. And they’re not just getting worse for the banks. Recently, a bank held a corporate customer responsible for financial losses they incurred after being attacked.. Banks don’t like to lose money, so this may become a more frequent story as losses continue to mount.

Dr. Larry Ponemon, president of the Poneman Institute, was recently quoted as saying that data breaches were up 600% in the last year. He said the average cost per record lost is $204. Think of how many records you’ve got in your customer database, just one file on one server. It adds up fast.

Nobody’s more aware of these issues than the Anti-Phishing Working Group (APWG), an organization consisting of technologists, bankers, researchers, law enforcement, and other interested parties (we recently became a member, as well.) Their latest report was recently released, and from their perspective as well, things simply don’t look good for businesses on the net. More brands — their names, logos, domains, everything — are being misused in phishing, and the numbers of unique attacks and payload websites have increased to all-time highs.

A few data points from the report easily illustrate how serious the problem has become:

  • “When comparing Q3 2009 to Q3 2008, we observed a 19 percent increase in unique brands being targeted and an 85 percent increase of domain names used in phish attacks.”
  • The number of unique phishing reports submitted to APWG reached an all-time high of 40,621 in August, nearly 5.5 percent higher than the previous record of 38,514 in September 2007. And that’s only what they hear about; the majority go unreported.
  • The number of unique phishing websites detected by APWG researchers reached a new record in August with 56,362, an increase of nearly 1.3 percent more than the former record of 55,643 in April 2007.

While the financial services and payment sectors are still the predominate vectors of attack, APWG Chair Dave Jevans was quoted on the Bank Info Security blog forecasting corporate bank accounts as the primary current concern:

What really worries Jevans is the targeting of corporate bank accounts and high-wealth customers, as well as the circumvention of authentication technology. “These criminals are rapidly figuring out how the financial industry works, where there is big money and large transfers, so they can basically do large wires out of these accounts without setting off fraud alerts.”

What does this mean for networked companies?

Now, more than ever is time for you to deploy authentication schemes in your email. To start, as everyone’s been saying for years, publish SPF records using “-all” so that receivers who pay attention to SPF know they can safely reject all other messages. Next, deploy DKIM to begin seriously protecting your domains. Return Path published a series of articles on DKIM that we strongly suggest your technical staffers review, and act upon as soon as possible. For added incentive, DKIM will become a standard for our Certification programs later this year.

Obviously, with crimeware running rampant, it is essential to your security that you maintain the highest level of standards on your internal network. All hardware (laptops & desktops, servers, routers, and everything else) and software should be patched as quickly as possible, checks for updates should be performed daily. Remember, despite their best attempts, even he best anti-virus and anti-spyware software catch less than 50% of all the exploits in the wild, there are dozens of pieces of malware using zero-day vulnerabilities out there. The least we can do is clamp down of known issues.

Many security researchers state unequivocally that you should stop using Microsoft Internet Explorer — and the governments of Germany and France agree. Google and even Microsoft say you shouldn’t use IE6 anymore, and should instead upgrade to version 8. But this isn’t just about IE; the important thing is that you need to be ready to question every IT policy — and don’t assume that your vendors will always be transparent when their software is unsafe.

Using our free senderscore.org, you can see which IP addresses are sending mail purportedly from your domain. Are those IPs all under your control? If not, why are they pretending to be you?

If you’d like to dig deeper into the answers to those questions — and you’re signing your mail with DKIM, or getting ready to start — we’ve got a new product in the works which should help, and we’re looking for a few more pilot customers. Contact us for more information.

Everybody who is paying attention to phishing these days sees the ever increasing threat to businesses on the Internet. It is no longer limited to banks and payment services; the bad guys may go after your corporate bank account, your servers, your customer list, your email systems, and then use those to go after your customers and your partners. Even if your security is perfect and they don’t get any of those things, they’ll still “borrow” your brand. In that case, the best you can hope for is that they’ll merely tarnish your social reputation. Brand protection is now a standard cost of business online.

minute read

Popular stories



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time