Analysis of the Phishing Email Problem and Discussion of Possible Solutions

Christine Drake, Andrew Klein, Jonathan Oliver

2005

Abstract

With the growth of email, it was only a matter of time before social engineering efforts used to defraud people moved online. Fraudulent phishing emails are specifically designed to imitate legitimate correspondence from reputable companies but fraudulently ask recipients for personal or corporate information. Recent consumer phishing attempts include spoofs of eBay, Pay-Pal and financial institutions. Phishing emails can lead to identity theft, security breaches, and financial loss and liability. Phishing also damages e-commerce because some people avoid Internet transactions for fear they will become victims of fraud. In a recent survey, both fraudulent and legitimate emails were misidentified 28 percent of the time and 90 percent of respondents misidentified at least one email. Based on these results, we cannot expect consumers alone to be able to recognize phishing emails. Instead, we must combine multiple solutions to combat phishing, including technical, legal, best business practices, and consumer education.

References

  1. Anti-Phishing Working Group (January 2005). Phishing Attack Trends Report - December 2004. Retrieved from http://antiphishing.org/APWG%20Phishing%20Activity%20Report %20-%20December%202004.pdf
  2. Drake C.E., J.J. Oliver, and E. J. Koontz (July 2004), Anatomy of a Phishing Email. Proceedings of First Conference on Email and Anti-Spam (CEAS), Mountain View, CA, July 30 and 31, 2004. Retrieved from http://www.ceas.cc/papers-2004/114.pdf
  3. EarthLink Aims to Block 'Phishing Scams (19 April 2004). CNET News.com. Retrieved from http://zdnet.com.com/2100-1105_2-5194778.html
  4. Gilbert, Alorie (17 August 2004). Anti-Phishing Software Detects Fraudulent Lures. CNET News.com. Retrieved from http://news.zdnet.co.uk/internet/security/0,39020375,39163688,00.htm
  5. Keizer, Gregg (19 August 2004). Do-It-Yourself Phishing Kits Lead to More Scams. InternetWeek.com. Retrieved from http://www.internetweek.com/breakingNews/showArticle. jhtml?articleID=29111947
  6. Koontz, Eugene, Jonathan Oliver and Andrew Klein (January 2005). Bayesian Spam Classification Applied to Phishing Fraud. Proceedings of Spam Conference, Cambridge, MA, January 21, 2005. Retrieved from http://www.spamconference.org/abstracts.html#Koontz
  7. Lebihan, Rachel (26 August 2004). Still Fishing for Answer to Internet Scam. Australian Financial Review. Retrieved from http://afr.com/articles/2004/08/25/1093246607260.html
  8. Litan, Avivah (14 May 2004). Phishing Victims Likely Will Suffer Identity Theft Fraud. Gartner.
  9. Litan, Avivah and John Pescatore (8 June 2004). Catching Phishers Requires More than Bait. Gartner. Retrieved from http://www.protectingthenet.com/archives/Phishers.pdf
  10. mi2g (20 October 2004). Q3 2004: The Rise of Islamist Hacking and Criminal Syndicates. Retrieved from http://www.mi2g.com/cgi/mi2g/frameset.php?pageid=http%3A//www.mi2g. com/cgi/mi2g/press/201004.php
  11. Monosson, Rich (14 August 2004). Life Span of a Phishing Site Averages 54 Hours. Netcraft. Retrieved from http://news.netcraft.com/archives/2004/08/14/life_span_of_a_ phishing_site_averages_54_hours.html
  12. Munro, Jay (31 August 2004). Security Watch Alert: Bagle AI Spreads Fast While Rbot.GR Hijacks Webcams. PC Magazine. Retrieved from http://www.pcmag.com/article2/ 0,1759,1641759,00.asp
  13. Ponemon, Larry (24 August 2004). Phishy E-mails and Web Sites: What's Your Responsibility?” Computerworld. Retrieved from http://www.computerworld.com/ managementtopics/management/story/0,10801,95461,00.html?f=x25>
  14. Ramasastry, Anita (16 August 2004). Hooking Phishermen. CNN.com. Retrieved from http://www.cnn.com/2004/LAW/08/16/ramasastry.phishing/
  15. Rusch, Jonathan J. The 'Social Engineering' of Internet Fraud. United States Department of Justice. Retrieved from http://www.isoc.org/isoc/conferences/inet/99/proceedings/3g/ 3g_2.htm
  16. United States. Cong. Senate. 108th Congress, 2nd Session. S. 2636, A Bill to Criminalize Internet Scams Involving Fraudulently Obtaining Personal Information, Commonly Known as Phishing [introduced in the U.S. Senate; July 9, 2004]. 108th Congress. Congressional Bills, GPO Access. Retrieved from http://frwebgate.access.gpo.gov/cgi-bin/useftp.cgi? IPaddress=162.140.64.21&filename=s2636is.txt&directory=/diskb/wais/data/108_cong_ bills
  17. Van Dyke, James (March 2004). Online Account Management as the Antidote to Fraud: Financial Institutions and Billers Must Revamp Their Web Features and Messages. Javelin Strategy & Research. Retrieved from http://www.javelinstrategy.com/rp.html
  18. Varghese, Sam (10 May 2004). Phishing Spreads in Europe. smh.com.au. Retrieved from http://www.smh.com.au/articles/2004/05/10/1084041315645.html?oneclick=true
  19. Vijayan, Jaikumar (16 August 2004). Antiphishing Tool Adopted by eBay Now Available to the General Public. Computerworld. Retrieved from http://www.computerworld.com/ securitytopics/security/story/0,10801,95280,00.html
  20. Warner, Bernhard (6 May 2004). Billions of “Phishing” E-mails Sent Monthly. Reuters. Retrieved from http://www.ladlass.com/archives/002196.html
Download


Paper Citation


in Harvard Style

Drake C., Klein A. and Oliver J. (2005). Analysis of the Phishing Email Problem and Discussion of Possible Solutions . In Proceedings of the 3rd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2005) ISBN 972-8865-25-2, pages 309-318. DOI: 10.5220/0002564803090318


in Bibtex Style

@conference{wosis05,
author={Christine Drake and Andrew Klein and Jonathan Oliver},
title={Analysis of the Phishing Email Problem and Discussion of Possible Solutions},
booktitle={Proceedings of the 3rd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2005)},
year={2005},
pages={309-318},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002564803090318},
isbn={972-8865-25-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2005)
TI - Analysis of the Phishing Email Problem and Discussion of Possible Solutions
SN - 972-8865-25-2
AU - Drake C.
AU - Klein A.
AU - Oliver J.
PY - 2005
SP - 309
EP - 318
DO - 10.5220/0002564803090318