Analysis of the Phishing Email Problem and

Discussion of Possible Solutions

Christine Drake

, Andrew Klein

, Jonathan Oliver

MailFrontier, Inc., 1841 Page Mill Road,

Palo Alto, 94304, USA

Abstract. With the growth of email, it was only a matter of time before social

engineering efforts used to defraud people moved online. Fraudulent phishing

emails are specifically designed to imitate legitimate correspondence from

reputable companies but fraudulently ask recipients for personal or corporate

information. Recent consumer phishing attempts include spoofs of eBay, Pay-

Pal and financial institutions. Phishing emails can lead to identity theft, secu-

rity breaches, and financial loss and liability. Phishing also damages e-

commerce because some people avoid Internet transactions for fear they will

become victims of fraud. In a recent survey, both fraudulent and legitimate

emails were misidentified 28 percent of the time and 90 percent of respondents

misidentified at least one email. Based on these results, we cannot expect con-

sumers alone to be able to recognize phishing emails. Instead, we must com-

bine multiple solutions to combat phishing, including technical, legal, best

business practices, and consumer education.

1 Introduction

“Phishing” is the term for an email scam that spoofs legitimate companies in an at-

tempt to defraud people of personal information such as logins, passwords, credit

card numbers, bank account information, social security numbers, and mothers’

maiden names. For example, an email may appear to come from PayPal (using the

same logo and color schemes), claiming that the recipient’s account information must

be verified because it may have been compromised by a third party. However, when

the recipient provides the account information for verification, the information is

really sent to a fraudster, who is then able to access the person’s account. The term

phishing was coined because the fraudsters are “fishing” for personal information.

The most traditional form of phishing collects personal information in a form in

the em

ail or through a fraudulent Web site accessed through a link provided in the

email. More recently, some fraudsters use phishing emails as a means to secretly

download a keylogging Trojan or spyware application onto the email recipient’s

computer. For example, fraudsters created a phishing email with a link that sent the

user to a Web site, which downloaded a keylogging Trojan onto the user’s computer.

This application subsequently recorded all information entered by the user into bank

Web sites specified in the program and sent the recorded information to the fraudster

[12].

Drake C., Klein A. and Oliver J. (2005).

Analysis of the Phishing Email Problem and Discussion of Possible Solutions.

In Proceedings of the 3rd International Workshop on Security in Information Systems, pages 309-318

DOI: 10.5220/0002564803090318

 SciTePress

Phishing emails range from the very simple to the very sophisticated, which can

fool even the savvy Internet user. These fraudulent emails harm their victims through

loss of funds and identity theft. They also hurt Internet business, because people are

losing trust in Internet transactions [8, 9].

The most targeted industry is financial services. Internet retailers and Internet ser-

vice providers are also targeted.

Phishing emails are mass mailed: Billions of phishing

emails are sent out every month [21]. According to a study by Gartner, approximately

57 million U.S. adults believe they have received a phishing email message [9].

More important than the number of phishing emails distributed is the number of

people that are fooled by these emails. MailFrontier posted a test on its Web site

testing whether people can correctly identify fraudulent emails

(http://survey.mailfrontier.com/survey/quiztest.html). Over 300,000 people have

taken this phishing test. MailFrontier also contracted a survey company to distribute a

more comprehensive survey to over 1000 people. The results from both the test and

the survey show that people misidentify both fraudulent and legitimate emails at a

rate of over 28 percent and 90 percent of respondents misidentified at least one email.

This paper discusses these results and the possible reasons why people fall for phish-

ing emails. The paper then goes on to consider possible solutions to phishing.

2 Why People Get Hooked

When phishing emails first emerged many of them were poorly constructed. They did

not contain the legitimate company’s images or links, and contained misspelled words

and poor grammar. Lately fraudsters have invested a considerable amount of effort

into convincingly spoofing legitimate companies. This section discusses how often

people are fooled by phishing emails and how fraudsters use social engineering to

lure in their victims.

2.1 The Survey Results

MailFrontier created a test consisting of 10 emails which asked participants to indi-

cate whether each email was fraudulent or legitimate. A similar survey was created

consisting of five emails. The 15 emails used in both the test and survey were almost

evenly split between fraudulent and legitimate emails (seven fraudulent and eight

legitimate). All of the emails used are real fraudulent and legitimate emails received

by MailFrontier. The results from the test and survey show that the participants mis-

identified the emails 28 percent of the time; fraudulent emails were misidentified as

legitimate at a rate of 31 percent and legitimate emails were misidentified as fraudu-

lent at a rate of 19 percent.

The survey also grouped the participants’ responses by gender, age, marital status,

whether the respondents had young children in the household, household income,

region, and employment status. The results were consistent across all of these factors

except age. The youngest age group was more likely to believe the emails were le-

gitimate, and in each higher age group the participants were more likely to identify

310

the email as fraudulent. These results held true whether the email was actually legiti-

mate or fraudulent.

Table 1. Survey Responses by Age Group.

24 25-34 35-44 45-54 55 +

Misidentified

Fraudulent as Legitimate

37% 27.5% 26% 25.5% 21.5%

Misidentified

Legitimate as Fraudulent

10% 12% 16% 17% 23%

One possible conclusion is younger Internet users have been raised using the

Internet and are more accustomed to relying on the Internet for business transactions.

To younger people, disclosing personal information over the Internet might seem

more commonplace. Or perhaps older users have just learned to be more cautious or

skeptical.

When analyzing these results it is important to remember that many of the recipi-

ents of phishing emails are not customers of the spoofed companies and may quickly

realize that the email is fraudulent, or may believe that the email was mistakenly sent

to them and ignore it. Fraudsters rely on the responses from the few recipients who

are customers of the spoofed company and who fall victim to the scam. In the survey,

the participants were asked to judge each email, whether or not they were customers

of the legitimate or spoofed company.

The fraudulent emails used in the test are examples of very convincing phishing

emails. The test did not use samples of some of the poorly crafted phishing emails.

However, most of the phishing emails that are being sent today are very sophisticated.

And the number of well crafted emails is expected to increase. The first phishing

fraudsters were novices and this showed in the very basic emails that they sent. Then

professional criminals began sending out phishing emails, and the emails became

more sophisticated [14]. Now free phishing “kits” are available on the Internet, which

contain everything necessary to effectively spoof a legitimate company, including

graphics, Web code, text, and spammer software. With the availability of these kits,

almost anyone can send out believable phishing emails [5]. Phishing emails are also

growing in languages such as Spanish, French, German, and Dutch [19].

2.2 Using Social Engineering to Snare Victims

Fraudsters use social engineering in phishing emails, which is the use of psychologi-

cal methods to manipulate victims into disclosing information [15].

The fraudsters attempt to gain the recipient’s trust by making the phishing emails

appear to originate from reputable companies. The paper, Anatomy of a Phishing

Email, by Drake, et al., details the tricks used by fraudsters to spoof legitimate com-

panies and hide any information about their fraudulent domains [2]. For example, the

fraudulent emails often contain the company’s logo and use similar fonts and color

schemes as those used on the company’s Web site. If recipients believe that an email

was sent by a credible company, they may not scrutinize the content and simply pro-

vide the requested information.

311

Some phishing emails take advantage of people’s need to follow through with

commitments. For example, a phishing email may claim that its request for informa-

tion is justified or required by a policy that the recipient agreed to when setting up the

account. Many people feel compelled to abide by the agreement they supposedly

made and will provide the requested information.

More frequently, fraudsters use fear to call the recipient to action. Ironically, the

email messages often use people’s fear of fraud to defraud them: the emails may

claim that the company has installed new security software and the recipient must

renew the account information, or it might claim that the account has been compro-

mised by fraudulent activity and the account information must be confirmed. Other

premises include claims that the recipient’s account information is outdated, a credit

card has expired, or the account information needs to be verified. There are numerous

approaches, but in each case, the email threatens to terminate the recipient’s account

or claims it cannot provide adequate security if the desired information is not pro-

vided.

The results of the survey demonstrate that the phishing emails can convincingly

appear to come from legitimate companies. Yet the participants in the study knew that

none of the emails in the study pertained to their personal accounts or transactions. If

a person were to receive a phishing email that purported to threaten his or her per-

sonal account, the person would be more prone to falling victim to the scam. Hence,

using the survey results to estimate that people fall for fraudulent emails 31 percent of

the time is a conservative estimate, because it does not consider how fear plays into a

person’s reaction to receiving a phishing email.

Well crafted phishing emails have the potential to fool large numbers of people

through the implementation of various social engineering techniques. The use of

such techniques can also damage real email based communications as people become

suspicious of all email. Potential solutions, must consider not only stopping fraudu-

lent email, but must allow and indeed encourage, the use of use of email as a commu-

nication medium.

3 Possible Solutions to Phishing

In 2004, the economic damage caused by phishing is estimated to have exceeded $44

billion worldwide compared to $14 billion in 2003 [10]. Yet misidentifying legitimate

email as fraud is also damaging, because it hurts Internet business. For example,

many people believe using on-line banking increases the likelihood that they will

become victims of identity theft, even though on-line banking provides more secure

identity protection than paper and mail based systems [18]. If solutions to phishing

are not adopted, it is estimated that the United States e-commerce annual growth rate

will shrink to 10 percent or less by 2007 [8]. This section discusses possible phishing

solutions.

312

3.1 Applying Technical Solutions

There are a variety of techniques available which protect against phishing. These

techniques include phishing black lists, encryption, authentication, URL exploit de-

tection, and content filtering.

Phishing black lists are a popular technique. One method identifies when an

email’s sending IP address comes from a compromised machine. Determining that an

email was sent from a Web server that is known for sending fraudulent email can be

helpful. However, a compromised machine can send both fraudulent and legitimate

emails. Hence, this identification should only be used as one indicator of fraud and

not a conclusive determination.

Another method relies on the identification of a domain name or IP address used to

host a phishing Web site. A black listed URL to a phishing Web site is a definite

indicator of fraud and is a useful reactive technology. However, strictly relying on

known phishing emails has limited value. Fraudsters quickly turn to new emails and

domains. Based on data from June 2004, phishing Web sites are operational for only

54 hours on average before being shut down or abandoned [11]. This method also

does not protect against customized attacks sent to specific individuals.

Encryption based methods are another technical solution that may help identify

phishing emails as fraudulent and prevent them from reaching the inbox. For exam-

ple, user-based authentication can be achieved by using Secure/Multipurpose Internet

Mail Extensions (S/MIME), which encrypts messages and allows the recipient to

authenticate the sender. However, managing encryption keys is too much of a burden

for most people.

Another method is domain-based authentication, with variations including authen-

ticating the email envelope, header, or domain in the header. These approaches would

help to identify when an email is claiming to be from somewhere that it is not, but

they will not stop phishing. For example, if a phishing email claimed to be from U.S.

Bank, but really originated from the domain “pact-games.org” (this is an example

from a real phishing email), domain-based authentication would flag this email.

However, another real phishing email spoofed eBay and used the domain “ebay-

customer-validate.info.” Domain-based authentication would not catch this phishing

email because it came from the domain that it claimed to be from. The fraudster had

registered a domain that recipients may mistakenly believe belonged to eBay, but it

did not try to falsify its domain.

Detecting URL exploits is another method used to prevent phishing. URL exploits

attempt to disguise the true identity of the phishing Web site from the user. While

URL exploits are a good indicator of phishing emails, they are not used in all phish-

ing emails, and their use does not guarantee that the message is fraudulent. Legiti-

mate emails also can legally use the same tricks.

One method of concealing the Web site destination is to show a different text in

the email and hide the true URL in the email code. But many fraudsters take this a

step further and also conceal the URL in the code. For example, the IP address of the

Web site is used rather than the hostname. An IP address can be obscured further by

expressing it in Dword, Octal, or Hexadecimal format. Other tricks include: using the

@ symbol in the <userinfo>@<host> format, where the <userinfo> is ignored and

the <host> information after the @ symbol is the true destination; using JavaScript,

313

such as using OnMouseOver or functions to hide the link; and using redirection ser-

vices to hide the final destination. A good phishing filter will be able to identify these

techniques when used in an email and will use this as an indictor of a phishing email.

Content filtering can be an effective technique in protecting against fraudulent

emails. However applying content filtering that is designed to prevent spam to de-

fending against phishing is ineffective. Phishing email is designed to mimic legiti-

mate correspondence, which makes it unique from spam. The specific features of

phishing emails need to be considered when using content filtering.

Statistical methods can be used in content filtering to analyze the content and apply

a judgment. To stop phishing, a statistical method needs to be specifically trained to

recognize a phishing email, which is done by using both phishing emails and legiti-

mate correspondence from targeted companies. This training will be able to identify

content. However, this content identification needs to be combined with the other

methods to give an effective determination of fraud [6].

Ideally, phishing filters stop phishing emails before they enter the inbox. How-

ever, if consumers are not protected by a good phishing filter, they may receive

phishing emails and follow the link in the email to a fraudulent phishing Web site.

Some technical solutions focus on identifying the fraudulent Web sites. For example,

some vendors have created browser-based tool bars that alert customers when they

have accessed a potentially fraudulent Web site. Some toolbars are customized for a

particular company’s toolbar such as eBay, while others are more general in their

application [3, 4, 20]. Yet another toolbar feature called SpoofStick clearly shows the

domain or IP address of the site. Because phishing emails often obscure the Web site

link, this tool might provide some limited assistance. However, many legitimate sites

use unintuitive domain names, while some fraudulent sites have domain names that

may appear to be legitimate. None of the toolbar features protect against phishing

emails that collect information in a form in the email. Also, they do not protect

against Web sites that secretly download keylogging Trojans or spyware applications.

Even though the toolbar might indicate that the Web site is fraudulent, once the Web

site is open, the damage may already be done.

A combination of techniques should be used to stop fraudulent emails before they

reach the inbox. However, other non-technical solutions must simultaneously be

adopted to help prevent the damage from phishing emails.

3.2 Using Legal Solutions

On July 15, 2004, the Identity Theft Penalty Enhancement Act (ITPEA) was signed

into federal law. Under this law, if a person uses someone else’s identity without

lawful authority to commit one of the felonies listed in the Act, the person will be

given an additional 2-year prison sentence along with the punishment provided for

the felony committed [16].

ITPEA also modifies Section 1028 of title 18 of the United States Code, which

now makes it punishable to merely possess another’s identification with the intent to

commit a crime. However, all of ITPEA provisions require that a fraudster acquire a

victim’s personal information. This law does not punish the creation of the phishing

emails or the fraudulent Web sites. It is very likely that someone must have already

314

fallen victim to the scam and suffered a loss before the fraudster can be held account-

able by this Act [16].

Senator Patrick Leahy has proposed the Anti-Phishing Act of 2004, introduced to

the United States Senate on July 9, 2004. This Act criminalizes sending phishing

emails and creating fraudulent Web sites for the purpose of committing fraud or iden-

tity theft. If passed, this Act will make every element of phishing a felony, with each

element carrying a punishment of five years in prison and/or a fine of up to $250,000.

Currently the Act is in committee and has not yet been voted on by the Senate [14,

17].

Passing laws that criminalize phishing will not stop these scams. The people send-

ing phishing emails are stealing personal information to commit felonies. The possi-

bility of the sentence being increased for stealing someone’s identity, in addition to

the underlying felony, will most likely not deter the fraudsters. Also, if the anti-

phishing laws make conducting phishing scams in the United States too risky, fraud-

sters can send their emails from overseas [14].

3.3 Changing Business Practices

Although businesses cannot prevent phishing emails from winding up in their cus-

tomers’ inboxes, they can establish business practices that help the recipients recog-

nize phishing emails and use processes that minimize the damage of phishing emails.

Many companies in the past and some companies still today provide links in emails

and request the recipient follow the link to either gather or provide information.

However, many companies have begun to change their business practices to make it

easier for their customers to recognize phishing emails, which help to ensure their

customers’ safety. Here are some suggested business practices:

 Businesses should always address their customers by name. Generally fraudsters

do not have access to any of the customers’ personal information. If businesses al-

ways address their customers by name, any email spoofing the companies with

salutations such as Dear Member or Dear Customer can be identified as fraudulent.

 Businesses should not request personal information in an email. Instead, businesses

should ask their customers to open a browser window and enter the businesses’

URLs manually. Then, if required, their customers can log-in as they usually

would.

 Businesses should notify their customers of their security and privacy policies.

 Businesses should provide a means for their customers to report phishing emails

that target their company. In addition, businesses can post any information they

have concerning phishing emails.

 Businesses can search domain names to see if there are registered domain names

similar to theirs, which could possibly be used for phishing purposes.

 Businesses should inform their employees that they might receive phishing emails.

A fraudulent email may appear to come from the company’s IT department asking

the recipient to update their password. If fraudsters get access to company records,

they can personalize their phishing emails, making them more convincing.

315

 Businesses should make sure their customer support staff are aware of phishing

emails and they can provide information on detecting and avoiding these scams.

In May 2004, a phishing email victimized over one million customers of a bank.

The Ponemon Institute surveyed 411 randomly selected bank customers who had

received the phishing email. All of the 411 customers surveyed clicked on the link in

the phishing email, which took them to the fraudulent Web site. Also, all of them

contacted the bank’s customer service help line for guidance. Only 65 (16%) of the

411 provided personal information on the fraudulent site. However, 310 (75%) of

those surveyed felt the bank did not provide adequate support and 243 (59%) decided

to terminate their business relationship with the bank. It is crucial that businesses train

their support staff to adequately provide information and guidance to their customers

when they are faced with possibly fraudulent emails [13].

Businesses can also change how customers conduct business transactions in ways

that can minimize the damage caused by phishing emails. For example, businesses

can use authentication mechanisms, such as sending the customer a different pass-

word to their cellular phone for each requested business transaction, sending each

customer a small hardware device that generates unique password tokens, or always

referencing a “shared secret” (for example, the customer’s favorite color) in business

correspondence to differentiate legitimate correspondence from fraudulent emails.

However, these methods may not be practical because they increase the company’s

cost of doing business and further inconvenience the company’s customers [7, 9].

3.4 Educating Consumers

The solutions mentioned above will not prevent all phishing emails from entering

inboxes. Consumers must also be educated on how to protect themselves from phish-

ing emails. The following guidelines will help prevent consumers from falling victim

to phishing scams.

 Consumers should avoid clicking on links in emails. Even if the link appears to

come from a legitimate source, it should not be trusted. If the email asks recipients

to visit a trusted site, consumers should manually type the URL into a browser win-

dow to ensure that you are visiting the real site.

 Some URLs claim to be sending consumers to a “secure” site by using “https”

instead of “http.” However, links and even browser address bars can be faked so

that they falsely display an “https” URL. Users should manually type in a trusted

company’s URL. Then when providing personal information they should look for

the “https” at the beginning of the URL, which indicates that the transactions are

being conducted securely.

 Consumers should never send personal information in an email. If the request for

information looks legitimate, recipients should contact the company directly. Re-

cipients should not contact the company by using the information in the email, but

should use the contact information from trusted correspondence (for example, con-

tact information included on a bank statement or on the back of a credit card).

316

 Consumers should install products that can help identify phishing emails. It is best

to install products that will help to prevent phishing emails from ever entering the

inbox. However, other technology can provide another level of defense.

 Consumers should read the security policies of the companies with which they do

business. Many companies provide information on their Web sites.

In the United States, phishing emails can be reported to: The Internet Fraud Com-

plaint Center (a partnership between the Federal Bureau of Investigation (FBI) and

the National White Collar Crime Center) at http://www1.ifccfbi.gov/index.asp; to the

FBI “submit a tip” page at https://tips.fbi.gov/; or to the Federal Trade Commission

by entering information on the ID Theft Complaint Input Form at

https://rn.ftc.gov/pls/dod/widtpubl$.startup?Z_ORG_CODE=PU03.

4 Conclusion

The number of phishing emails has grown dramatically. The average monthly growth

rate of new, unique phishing emails was 38% from July 2004 to December 2004, with

9,019 unique phishing frauds reported in December [1]. However, a larger concern is

people are not able to differentiate phishing emails from legitimate business corre-

spondence. In the MailFrontier survey and test people misidentified fraudulent emails

at a rate of over 31 percent. Recipients of phishing emails will likely not respond if

they are not customers of the spoofed company. However, those that are customers

may be fooled at an even higher rate than the survey and test respondents because of

the social engineering tricks employed by the fraudsters.

We need to significantly diminish the effectiveness of phishing to discourage

fraudsters from sending these emails. No single solution in this paper will end phish-

ing. We must work together – technology providers, the legal system, businesses, and

consumers – to safeguard Internet users and restore our faith in e-commerce.

References

1. Anti-Phishing Working Group (January 2005). Phishing Attack Trends Report – December

2004. Retrieved from http://antiphishing.org/APWG%20Phishing%20Activity%20Report

%20-%20December%202004.pdf

2. Drake C.E., J.J. Oliver, and E. J. Koontz (July 2004), Anatomy of a Phishing Email. Pro-

ceedings of First Conference on Email and Anti-Spam (CEAS), Mountain View, CA,

July 30 and 31, 2004. Retrieved from http://www.ceas.cc/papers-2004/114.pdf

3. EarthLink Aims to Block ‘Phishing Scams (19 April 2004). CNET News.com.

Retrieved from http://zdnet.com.com/2100-1105_2-5194778.html

4. Gilbert, Alorie (17 August 2004). Anti-Phishing Software Detects Fraudulent Lures. CNET

News.com. Retrieved from

http://news.zdnet.co.uk/internet/security/0,39020375,39163688,00.htm

5. Keizer, Gregg (19 August 2004). Do-It-Yourself Phishing Kits Lead to More Scams. Inter-

netWeek.com. Retrieved from http://www.internetweek.com/breakingNews/showArticle.

jhtml?articleID=29111947

317

6. Koontz, Eugene, Jonathan Oliver and Andrew Klein (January 2005). Bayesian Spam Clas-

sification Applied to Phishing Fraud. Proceedings of Spam Conference, Cambridge, MA,

January 21, 2005. Retrieved from http://www.spamconference.org/abstracts.html#Koontz

7. Lebihan, Rachel (26 August 2004). Still Fishing for Answer to Internet Scam. Australian

Financial Review. Retrieved from http://afr.com/articles/2004/08/25/1093246607260.html

8. Litan, Avivah (14 May 2004). Phishing Victims Likely Will Suffer Identity Theft Fraud.

Gartner.

9. Litan, Avivah and John Pescatore (8 June 2004). Catching Phishers Requires More than

Bait. Gartner. Retrieved from http://www.protectingthenet.com/archives/Phishers.pdf

10. mi2g (20 October 2004). Q3 2004: The Rise of Islamist Hacking and Criminal Syndicates.

Retrieved from

http://www.mi2g.com/cgi/mi2g/frameset.php?pageid=http%3A//www.mi2g.

com/cgi/mi2g/press/201004.php

11. Monosson, Rich (14 August 2004). Life Span of a Phishing Site Averages 54 Hours. Net-

craft. Retrieved from http://news.netcraft.com/archives/2004/08/14/life_span_of_a_

phishing_site_averages_54_hours.html

12. Munro, Jay (31 August 2004). Security Watch Alert: Bagle AI Spreads Fast While

Rbot.GR Hijacks Webcams. PC Magazine. Retrieved from

http://www.pcmag.com/article2/

0,1759,1641759,00.asp

13. Ponemon, Larry (24 August 2004). Phishy E-mails and Web Sites: What’s Your Responsi-

bility?” Computerworld. Retrieved from http://www.computerworld.com/

managementtopics/management/story/0,10801,95461,00.html?f=x25>

14. Ramasastry, Anita (16 August 2004). Hooking Phishermen. CNN.com. Retrieved from

http://www.cnn.com/2004/LAW/08/16/ramasastry.phishing/

15. Rusch, Jonathan J. The ‘Social Engineering’ of Internet Fraud. United States Department of

Justice. Retrieved from http://www.isoc.org/isoc/conferences/inet/99/proceedings/3g/

3g_2.htm

16. United States. Cong. Senate. 108th Congress, 1st Session. H.R. 1731, A Bill to Amend

Title 18, United States Code, to Establish Penalties for Aggravated Identity Theft, and for

Other Purposes [introduced in the House of Representatives April 10, 2003]. 108th Con-

gress. Congressional Bills, GPO Access. Retrieved from http://frwebgate.access.gpo.gov/

cgibin/useftp.cgi?IPadress=162.140.64.88&filename=h1731ih.txt&directory=/diskb/wais/

data/108_cong_bills>

17. United States. Cong. Senate. 108th Congress, 2nd Session. S. 2636, A Bill to Criminalize

Internet Scams Involving Fraudulently Obtaining Personal Information, Commonly Known

as Phishing [introduced in the U.S. Senate; July 9, 2004]. 108th Congress. Congressional

Bills, GPO Access. Retrieved from http://frwebgate.access.gpo.gov/cgi-bin/useftp.cgi?

IPaddress=162.140.64.21&filename=s2636is.txt&directory=/diskb/wais/data/108_cong_

bills

18. Van Dyke, James (March 2004).

Online Account Management as the Antidote to Fraud:

Financial Institutions and Billers Must Revamp Their Web Features and Messages

. Javelin

Strategy & Research. Retrieved from http://www.javelinstrategy.com/rp.html

19. Varghese, Sam (10 May 2004). Phishing Spreads in Europe. smh.com.au. Retrieved from

http://www.smh.com.au/articles/2004/05/10/1084041315645.html?oneclick=true

20. Vijayan, Jaikumar (16 August 2004). Antiphishing Tool Adopted by eBay Now Available

to the General Public. Computerworld. Retrieved from http://www.computerworld.com/

securitytopics/security/story/0,10801,95280,00.html

21. Warner, Bernhard (6 May 2004). Billions of “Phishing” E-mails Sent Monthly. Reuters.

Retrieved from http://www.ladlass.com/archives/002196.html

318