Many of us consider the Internet community to be a collective conscience, and consider the dirty schemes that tricked us once upon a time to now be common sense no-nos. Unfortunately, newcomers to the Internet community do not (yet) have a means of digitally absorbing all of the wisdom we’ve learned as web-surfing veterans. While today, you’re likely to look at someone who’s never been on the Internet as an alien life form, many new users are surprisingly logging on for the first time. Even in the US, the advent of cheap broadband is leading more schools, offices, and households to incorporate the Internet as an everyday way of life, and with that come a lot of nuances. In addition to this, scammers are getting smarter and finding new ways to trick seasoned Internet users. Even if you’ve been online for years, it can sometimes be difficult to spot new tactics being used to e-mug you.
While it’d be nice to think that common sense will always protect you, common sense alone has shown to be only marginally effective against the evolving online fraud syndicate. The FBI’s 2007 IC3 summary reported over 200,000 complaint submissions of online fraud, up from the mere 16,000 complaints received when the program began in 2000. Of the complains received, the typical kind of scam that would give your common sense a chance to flex – Nigerian 419 scams – represented only a mere 1% of all complaints, suggesting very few people are falling for these anymore. Instead, the new big-ticket item in the underworld of fraud is phishing. Phishing is considered by the FBI as “foremost” among email based scams, and seeks to illicit information about a person’s identity – such as credit card and social security numbers, and other information which can be used to commit crimes of identity theft. Phishing is a smoke and mirrors trick designed to fool you into thinking you’re logging into your bank or credit card’s website, when in reality you’re using a mock-up site designed to steal your personal information.
Online fraud and identity theft crimes consisted of over 17% of the total complaints received in 2007. It’s no surprise that online fraud is growing given how lucrative fraud scams can be. In 2007, over $239 million was lost by those reporting complaints to IC3. This set a new record for financial loss, and yet the number of actual complaints was at a three-year low. The complaint count was similar to that of 2004, yet in 2004, only $63 million had been lost to scammers. This suggests that scammers have become much more efficient than they used to be. Today’s criminals clean people out of more money, and do it with less effort.
It’s no surprise too that 32% of these scams were perpetrated using a website, and 73% involved email correspondence. It’s relatively inexpensive to deploy a phishing site kit on hundreds of hacked or free web servers and then send out millions of email messages to hook the few unsuspecting individuals who fall for the bait. While a specialist in the field might recognize the site to be a forgery, the average computer user has only a few basic instincts to know whether they’re safe.
Most Internet users will apply some form of common sense rules when visiting a website. The most valid question they can ask is, “does the URL in my address bar match that of my financial institution?” Simply applying this one basic rule can thwart a majority of phishing attacks. Applying the wrong types of common sense assumptions can be dangerous. Replies from victims such as, “the website looked real to me”, and “the link in the email looked right” are not uncommon, and are usually the result of being taught a few bad habits.
Scammers are working actively to outsmart their victims, but what the victims might not know is that there is another factor also working against them: their financial institution. Even after years of knowing how phishing sites operate, many banking and credit card institutions continue to teach their customers bad habits by conditioning them in ways that poison their common sense. None of this is done maliciously, of course, but somehow their webmaster never got the memos about phishing. Some of the bad habits your financial institution might be teaching you include:
Click This Link
After years of knowing this is a bad idea, many legitimate websites are still sending email messages to their customers with clickable links. Clickable links have been abused by phishing scammers since the beginning because they allow you to craft a web address that displays the legitimate institution’s website URL in the email, but will take you to the scammer’s mock-up website when you click on it.
Using clickable links in correspondence conditions the customer to fall victim to these types of scams, and causes them to ignore the URL in their address bar.
Email sent from your company should never instruct a user to click on a link. Instead, instruct them to simply visit your website. If you must provide a URL, provide it in plain text and keep it simple.
Paste This Link
Almost as bad as clickable links is the practice of instructing a customer to copy and paste a link into their browser. This is another common bad habit that has been exploited by scammers to steal your personal data. Many scammers simply remove the leading www prefix, or the http:// protocol prefix to avoid filters from seeing the URL in their email. This conditions the customer to assume the link is valid because it’s not clickable, and might also prevent them from visibly confirming the URL.
Email sent from your company should never provide a URL so complex that it must be copied and pasted. Provide only the main URL to your website, which the customer should be able to identify with. Anything overly complex should be linked to from the website once they get there.
Multiple SIgn-On Domains
A customer can only know if they’re visiting a legitimate website if the URL in the address bar matches. Many large banks, however, have taken on the poor practice of using multiple domains, and sometimes even using outsourced, third party URLs, to sign customers in. This confuses their customer and conditions them to disregard the URL in the address bar, since they’ll never know if it’s right or not.
Your company should use a single sign-on page and only one domain name for a customer to identify with. Like the entrance to a concert or other special event, your website should funnel everyone through one central line. This will avoid confusing your customer about which domains you’ve registered; most customers don’t know how to look this information up.
Multiple Sign-On Pages
In addition to using multiple sign-on domains, many companies use different sign-on pages to log into different types of accounts, or present different pages depending on where the customer is navigating. This desensitizes the user to the look and feel of your website, making them more likely to miss the variations in counterfeit websites, which might have otherwise raised a red flag.
The customer should not depend on whether a website “looks” real, however when they are desensitized to the layout and branding of your sign-on page, you increase their likelihood of falling for a scam. It is said that bankers are the best at spotting counterfeit currency because they work with the real thing all day. Your customers can be taught to spot a forgery simply by using one central sign-on page. This page should also have a simple URL that the user can become familiar with. All other pages on your website should link to this one sign-on page.
Log In To Verify Your Account
Scammers have used various forms of fear mongering for years that have tricked victims into logging in to verify account details. Some of these scams include informing the victim that their account is suspected of fraud, that the account has been suspended, or that they will need to verify their information to avoid an account lock. All of these notifications advise the victim to make an urgent effort to log in.
When a customer is under duress, they are more likely to skirt their normal common sense checks to address the problem. Companies engaging in this same practice cause their customers to get into the habit of responding to these types of urgent notifications, increasing their chances of falling victim to a bogus one. If a notification is urgent enough to warrant an account lock, it is important enough to be delivered to the customer via telephone, and with proper verification procedures to identify your company to the customer. Sending urgent messages via email is only inviting trouble.
Many websites employ security images to convince the user that they can feel safe logging in so long as they see a teddy bear, a train, or some other image they choose from a library when creating their profile. As phishing scams become more complex, scammers’ websites can easily start acting as proxies to the legitimate website. This isn’t in widespread use yet, but a few isolated incidents have been seen, and the technique is easy to craft: when you enter your username into the phishing site, the site turns around and queries the legitimate website for your security image. It can then display the security image to the customer to gain their trust.
Security images and other enhancements are an added layer of security, but your customers should be aware that they can be easily spoofed. Instruct your customers to rely on the website URL, rather than a security image, and to only use the security image as an added means of verification.
In addition to these bad habits, many companies avoid addressing the problem entirely, and teach their users that they can protect their account by employing policies such as strong passwords or usernames requiring a digit. Security questions are another common layer added to websites that don’t do much to them more resilient. None of these techniques will necessarily have any affect in strengthening security against a phishing attack, because the customer is providing the information directly to the scammer’s mockup site. Even revolving security questions can be easily phished when the scammer is familiar with the questions prompted by the institution.
Identifying legitimate correspondence is the first line of defense a customer has in avoiding a scam. The best thing you can do as a company is to inform your customer that you will never prompt them to click on or paste a link, never instruct them to enter their credit card number online, and familiarize them with the only website URL they should ever associate with your company.
Unfortunately, many websites still teach bad habits. Large banks continue to use multiple website domains, rather than centralizing all of their sites under a single web address. Other companies have abandoned common sense entirely and send email closely resembling existing phishing scams, complete with hot links and urgent requests. Facebook was recently slammed in the tech community for sending clickable links to their users prompting them to verify information in their account. They’re not alone, however, as many other popular online institutions have been known to follow similar practices.
In July, we published findings that SPF/DKIM usage was declining among the Fortune-500 companies. Of the 500 wealthiest companies, less than half were implementing the simple, free anti-forgery countermeasures to protect users from spoofed email. You can read more about this at this link.
Businesses can’t prevent their customers from being scammed, but they can help to educate and condition them to recognize legitimate correspondence. The first step in doing this is to encourage sound practices when visiting your website. By helping your customers avoid becoming victims, you’re helping to avoid headaches that will ultimately become yours, and ensure that your customers remain satisfied ones, likely to return.
by Jonathan Zdziarski