December 2009

'Tis the Season to be Phishing


Phishers are set to have a bumper Christmas this year, as bargain shoppers snap up the bait. In the UK alone almost 2,500 bank account details will be captured and nearly a thousand full identities will be stolen¹.

Trusteer corporation have released their online Phishing analysis results from 10 large banks in the US and Europe over a three-month period and normalised its data per one million users. As per the report, Phishers have managed to confiscate on an average $2,000 (1,225.08 GBP) per compromised online banking account, totalling to $9.4 million per year.

Phishing is very popular amongst cyber criminals due to its fair ease to implement. Just create a fake website that looks almost identical to the original one and start sending emails worldwide, with links that leads to capturing of crucial data to gather payment details.

Last month a 22-year-old bedroom hacker was arrested by the Israeli Defence Force, after he had sent e-mails containing a web-link connecting to phishing sites that mimicked Bank Leumi's and Bank of Israel's websites.

The Virus Lab at Avira (supplier of self-developed security solutions), conducted phishing origin analysis of the last three months. It provided an overview of the spread of phishing attacks and has spotted the most popular "brand-spoofed" companies, which are the current phishing targets world-wide.


APWG (The Anti-Phishing Working Group) has come up with the 1st Half (January-June'09) Phishing Activity Trends Summary that includes some really shocking figures:

  • Unique phishing reports submitted to APWG recorded a high of 37,165 in May, around 7 percent higher than last year's high of 34,758 in October
  • The number of unique phishing websites detected in June rose to 49,084, the highest recorded since April, 2007's record of 55,643
  • The number of hijacked brands ascended to a high of 310 at the end of Q1
  • Payment Services became phisher's most targeted sector, displacing Financial Services in Q1 & Q2
  • The total number of infected computers rose more than 66 percent between Q4 2008 and the end of the half, 2009 to 11,937,944, representing more than 54 percent of the total sample of scanned computers
  • Sweden is number 1 as the nation hosting the most phish websites at first half's end

Phishing is the act of getting illegal access to somebody's sensitive information such as username, password or credit card details. Phisher's can ask a person to log in and provide his/her personal details in a fake website or link.

Malware is somewhat different from phishing. In short, malware stands for malicious software - software designed to infiltrate or damage a computer system without the owner's permission. It includes computer viruses, worms, trojan horses, spyware, etc.

Since majority of phishers target bank accounts, the UK banking industry, in particular, is working very closely with a number of partners and overseas such as the Serious Organised Crime Agency, Internet Service Providers and software companies to restrict phishing attacks.

How do the phishers know of your bank account?

The shortest answer to this question is they don't. They keep on sending millions of identical "spam" e-mails to people all over the world. They keep looking for targets and once a customer of some bank honestly provides h/her personal information, they get lucky. Spammers gather email addresses from a variety of sources such as web pages, newsgroups and even from sheer guesswork.

What do the banks do to combat phishing?

Banks are suggesting their customers to report them immediately in case they come across a link or e-mail asking for personal details. People must refrain from clicking on any website or log-in form and must notify it to the concerned bank for authentication.

The American Bank has offered some steps to combat phishing in its website: (

"Never give your card, PIN, or account numbers or other sensitive information to anyone. Even if it appears to be legitimate. If you are ever solicited by someone claiming to be from American Bank asking for this information, please do not give them the information and contact us immediately. Our contact information can be found on this website under the 'Contact Us' link or you can report a potential phishing attempt to your area branch."

Last year, London's Barclays Bank has contracted Gemalto, (an Amsterdam-based provider of digital security and smart cards solutions) to supply smart card readers to authenticate its online customers. Since then "Phishing attacks decreased dramatically against Barclays whilst increasing to an all-time high for the U.K. banking industry", reports Sean Gilchrist, the bank's digital banking director.

PayPal, a global leader in online payment solutions, has published some useful tips to make its customers aware of phishing. In its website, httpss://, there's a section: "Questions PayPal will never ask you in an email".

  • Credit and debit card numbers
  • Bank account numbers
  • Driver's license numbers
  • Email addresses
  • Passwords
  • Your full name

Similarly many other banks in Europe and in other parts of the world are arranging for safe online payment transactions so that the account holders do not fall in the trap set by the phishing gangs.

How do people get their money back, after being Phished?

In case you are robbed by some cyber criminal, you can often get your amount refunded, provided you have to act immediately and let the bank know you are cheated. In the US for example, when an ATM card, PIN number or online banking password is stolen, consumers must report the loss within two days of receiving their bank statement that reflects the fraud, according to "Reg E" (a set of regulations issued by the Federal Reserve that governs online banking, ATM withdrawals and debit card payments).

Consumers who are spontaneous are only liable for $50 (29.96GBP) in losses, while waiting a third day can jump to $500 (299.63 GBP). And if a consumer waits more than 60 days, the liability is unlimited.

The UK government's Fraud Bill targets phishing criminals and allows judges to sentence those found guilty against "participating in fraudulent activity" and "false representation," with prison sentences of up to 10 years.

What are the banks policies on email - Do they send emails?

Hancock Bank, US do not use e-mail notifications to request confirmation of personal information or to direct downloading of attachments. If a person receives such an e-mail, responding to them may put his/her financial information and identity at stake. It is advisable not to respond and instead, forward a copy of that message to:

Deutsche Bank, operating in 72 countries, collects email ids through the following modes:

  • Account opening form (Customer Information Form)
  • SMS
  • Phone banking
  • Online Banking
  • Contact information update form available at branches, ATM and the website

Best possible ways of avoiding phishing attacks:

  • Use a spam filter: A spam filter can block the majority of phishing emails. Many email clients, including Outlook and Windows Mail have a built-in spam filter
  • Use a phishing filter: Most browsers also include a more advanced phishing filter that is said to be far more effective in keeping away unwanted emails
  • Keep your Browsers CA database up-to-date: Microsoft provides a service that runs on your machine and automatically checks for Windows updates. Once found, it can then download and install them for you. For Mozilla Firefox, you can download "Netcraft Plus Anti-Phishing Toolbar" that runs on any operating system. When using this toolbar, it displays the location, popularity, and abstracted risk rating of any site you visit. It gives you a good idea of what websites to stay away from, and also prevents you from going to sites that have been reported to be phishing sites, keeping you and all of your information safe from thieves
  • Check Browser settings, do you trust the browser plug-ins you have installed (Firefox extensions + Activex controls)
  • Use a firewall: A firewall is a piece of software or hardware that sits between your computer and the internet and only allows certain types of things to cross the wall
  • Educate yourself and your employees: Make sure both you and your workers understand what phishing is and how it works, and how to know if an online transaction is secure and never to enter personal or financial information into a site that is unknown or suspicious to you.
  • Don't run programs of unknown origin
  • Disable hidden filename extensions
  • Keep all applications (including your operating system) patched
  • Turn off your computer or disconnect from the network when idle
  • Inform anti-phishing group or agency: You may take the help of the Anti-Phishing Working Group (, the Federal Trade Commission ( or notify the FBI's Internet Crime Complaint Centre about any phishing mail

Unless people themselves are "on their guard", phishers will carry on fraudulent activities and illegal confiscating of large-scale public accounts. E-mail users must be careful before clicking on any link in a message. They should ensure websites are properly encrypted by checking whether or not the web address begins with "httpss" ("s" stands for secure). Always ask yourself do you trust this site and do you trust the computer you are using¡

Symantec's Phishing Report ( for November 2009 shows that there is 17% increase of phishing attacks from that of the previous month. People are particularly said to be cautious against phishers and spammers, as holiday season is approaching. It's a high time for the cyber gangs to get active in finding new targets via e-mails, social networking sites and online forums.

Suparna Sen, – Smartcard & Identity News


¹ Prediction by online security expert Marcus Whittington of SentryBay.


Unable to open RSS Feed with error SSL certificate problem: certificate has expired, exiting

Video Interviews

Tim Jones talks on the wealth of networks

Christophe Dolique of Gemplus talks about ·SIM

Dominique Brule of Philips Semiconductors talks about Near Field Communication