Anti-phishing

Social responses

One strategy for combating phishing is to train users to deal with phishing attempts. User education can be promising, especially where training provides direct feedback to the user on his success (or otherwise). One newer phishing tactic, which uses phishing emails targeted at a specific company, known as spear phishing, has been harnessed to train users at various locations, including West Point Military Academy. In a June 2004 experiment with spear phishing, 80% of 500 West Point cadets who were sent a fake email were tricked into revealing personal information.

Users who are contacted about an account needing to be "verified" can take steps to avoid phishing attempts by contacting the company that is the subject of the email to check that the email is legitimate or by typing in a trusted web address for the company's website into the address bar of their browser to bypass the link in the suspected phishing message.

Nearly all legitimate email messages from companies to their customers will contain an item of information that is not readily available to phishers. Some companies, like PayPal, always address their customers by their username in emails, so if an email addresses a user in a generic fashion ("Dear PayPal customer") it is likely to be an attempt at phishing. Emails from banks and credit card companies will often include partial account numbers. Therefore, one should always be suspicious if the message does not contain specific personal information. Phishing attempts in early 2006, however, used such highly personalized information, making it unsafe to rely on personal information alone as a sign that a message is legitimate. Further, another recent study concluded in part that the presence of this information does not significantly affect the success rate of phishing attacks, suggesting that most users do not pay attention to such details anyway.

The Anti-Phishing Working Group, an industry and law enforcement association, has suggested that conventional phishing techniques could become obsolete in the future as people are increasingly aware of the social engineering techniques used by phishers. They propose that pharming and other uses of malware will become more common tools for stealing information.

Technical responses

Anti-phishing software is available that may identify phishing contents on websites, act as a toolbar that displays the real domain name for the visited website, or spot phishing attempts in email. Microsoft's new IE7 browser, Mozilla's Firefox 2, and Opera from version 9.1 will include a form of anti-phishing technology, by which a site may be checked against a list of known phishing sites. If the site is a suspect the software may either warn a user or block the site outright. Firefox 2 uses Google anti-phishing software, which may also be installed under IE6. Spam filters also help protect users from phishers, because they reduce the number of phishing-related emails that users receive. An approach introduced in mid-2006 (similar in principle to using a hosts file to block web adverts) involves switching to using a special DNS service that filters out known phishing domains, which will work with any browser.

Sites have added verification tools that allow users to see a secret image that the user selected in advance; if the image does not appear, then the site is not legitimate. Bank of America uses this together with challenge questions, which ask the user for information that should be known only to the user and the bank. This feature (and other forms of two-way authentication and two-factor authentication) is still susceptible to attack, such as that suffered by Scandinavian bank Nordea in late 2005.

Monitoring and takedown

Several companies offer banks and other entities likely to suffer from phishing scams 24/7 services to monitor, analyze and assist in shutting down phishing websites. Individuals can contribute by reporting phishing to both volunteer and industry groups, such as PhishTank.

Copyright 2008 - France BtoB from Wikipédia