Phishing And Pharming

Phishing And Pharming

What is Phishing and Pharming?

Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials.

Social-engineering schemes use 'spoofed' emails to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers.  Hijacking brand names of banks, e-retailers and credit card companies, phishers often convince recipients to respond.

Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware.  Pharming crimeware misdirects users to fraudulent websites or proxy servers, typically through DNS hijacking or poisoning.

Although this phishing is relatively new form of fraud, its prevalence is exploding.  Compounding the issue of increasing volume, response rates for phishing attacks are disturbingly high, (sometimes as high as 5%) and are most effective against less-savvy Internet users who are less au fait about spotting potential fraud in their inbox.

While phishing is focused at individuals, it also presents a dilemma for corporations.  If employees are not protected, the company could be held accountable for not putting protections in place to prevent fraud.  If a hacker impersonates a company, then the company's reputation and brand may be impacted because customers feel that they can no longer trust the organization with their sensitive information.  An attack could cause an employee or business partner to divulge sensitive trade secrets to hackers.  Or, it could result in employee login information being revealed, allowing hackers to "log in" to an employee's network account.

Protecting Staff from Phishing

The best protection against phishing is to thwart these attacks from ever getting to the user's inbox.  Since most phishing attacks flourish through unsolicited e-mail, spam filtering technologies can be very effective at preventing the majority of phishing attempts.

New technologies are also available to help prevent phishing.  One such technology offered as a standard by Microsoft and supported by CipherTrust is the Sender ID Framework (SIDF), which prevents spammers from spoofing known brands by verifying the source of each email.  This technology holds great promise but is still in its infancy.