September 2005

Looking out for the fraudsters that go phishing and pharming
Dan Cole, Head of Internet at THUS, warns small and medium businesses about the perils of technical subterfuge

Staying one step ahead of the cyber crime game has always been the best way to deal with any IT security issues. However, when you are unaware that you may be vulnerable to attack how do you ensure protection? With an increasing number of technical fraudsters using the Internet to develop more and more sinister methods to steal data, general awareness of the potential security threats is essential to avoid becoming a victim.

Two techniques that are currently menacing businesses are phishing and pharming, a breed of attacks that deceive Internet users into exposing confidential business information which can then be used to steal a company’s identity. With phishing and pharming scams on the increase, small and medium sized businesses need to stay alert to the threat of identity theft and fraud. To put this illegal practice into perspective, phishing scams cost UK online banks £12 million last year*.

The term phishing may sound like an angling technique but it is actually the process in which spoof messages are sent by fraudsters to business email users. It is given its name because the email acts as the bait, appearing to be from a legitimate company, such as a financial institution or online retailer, but is actually sent by ‘phishers’ aiming to steal the company’s identity for personal gain.

Through these emails, recipients are tricked into visiting a counterfeit website, which resembles a retailer or bank’s online site, and deceived into providing confidential financial information or critical data. This enables the ‘phisher’ to gain access to details such as a company’s credit card numbers, account usernames and passwords, which can then lead to the theft of corporate identity.

Another identity theft technique which is also causing havoc for businesses is pharming, which can be even more threatening than phishing and even harder to avoid. It allows the theft of corporate identity by re-directing an Internet user to a hacker’s identical looking bogus website even though the user has typed in a genuine website address – again, usually a bank or online retailer’s website. When users enter their login or bank account details these are captured
by the fraudster.

Pharming can be initiated from software (known as Spyware) which is planted on the users PC, which then overrides Internet navigation protocols, directing the user to the bogus site. Alternatively, fraudsters will attack a company’s Domain Name Server (DNS Server), known as DNS poisoning, to re-direct a user to a false site. The second method can herd a large group of employees in a business to counterfeit websites and the users will be none the wiser to the attack. This security breach is dangerous and sophisticated because it goes completely undetected by the employee, who may unknowingly submit confidential company information through the site when thinking they are making an innocent online transaction.

Both phishing and pharming make businesses extremely vulnerable to attack and therefore strict security practices need to be put in place to avoid this. It is a common misconception among SMEs that phishing and pharming are just consumer problems – but that’s no longer the case. Because businesses are becoming increasingly reliant on online banking and purchasing, and submitting more and more company information via the Internet, they are just as susceptible to the threat. It is not enough for the person in charge of the company’s IT to know about the threat when these attacks can prey on any employee using the Internet for online transactions.

Besides keeping anti-spam, anti-virus and anti-spyware software updated on a computer network, there are few other ways to defend a business from phishing and pharming other than employee education. To counteract these potentially severe assaults businesses need to make certain that up-to-date security tools are used in conjunction with effective educational practices.

In addition, businesses need to ensure their Internet Service Provider (ISP) has procedures in place to help prevent phishing and pharming. Anti-spamming solutions provided by an ISP should block email spam sent by fraudsters at the Internet gateway before they reach the user. These anti-spam filters should help catch some phishing attempts and firewalls on a company’s server or at the ISP’s gateway can pick up unusual outbound activity which could indicate a pharming attack on the business or individual.

If staff are unsure about a website they should click on the lock symbol on their
computer desktop and make sure it always displays the address they are expecting. However, just watching the address bar on the Internet browser won’t reveal if a system has been hijacked. Therefore the key to overall protection is to make sure all staff are vigilant and aware of the harsh reality of being tricked by the Internet fraudster.

* Annual figures by UK payments body APACS.