There has been a lot of news about phishing lately, including some studies about how phishers fool their victims and how the whole scheme works. Seems to me, though that people are concentrating on the wrong part of the scheme.
What is phishing?
It’s a way to steal information from you, usually identity info, like name, social security number, or login info for bank accounts or credit cards. You’ve probably seen at least one phishing attempt in your email inbox, say an email from PayPal or from Citibank.
How does it work?
The phishers send you an email that looks like it’s from some large financial company, like PayPal or Citibank or your credit union. When you click on the link in the email (which looks like it’s going to the aforementioned large financial company) it actually takes you to a phishing website (often some place like Russia). Once at the web site, you’re supposed to enter your account info or your personal info in. Do that and you’ve just handed the phishers your PayPal account (or credit card or bank account).
This is becoming a real problem. I receive so many phishing emails from ‘PayPal’ that I ignore everything from PayPal.
How do we prevent it?
Well, there’s a lot of discussion about that right now. A group at Harvard performed a study: Why Phishing Works (http://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf) which sounds like a good place to start. However, this study concentrated on the phishing web site. I think that’s the wrong place to look. Instead, why aren’t we looking at the bait that the phishers use: the email they send. If the victims didn’t click on the link from the email, then they wouldn’t get victimized.
Seems fairly simple. However, some companies send links in email to their customers. I do occasionally click on a link in an email from a company, usually in a newsletter or ad (say from Amazon). I never click on a link to go to something like my credit union’s web site and I was shocked to get an email newsletter from my credit union that had just that, a link to the login for the credit union.
And it wasn’t too much after that my credit union sent out an email warning of a phishing scheme using their name. And they probably caught some people because the victims were used to clicking on links in the Credit Union’s newsletter.
So, if any companies are paying attention out there, don’t send links in your emails to your customers. I tell all my clients and friends to never click on links in emails. It’s the only way to be sure.
