The Blog

  • November 14, 2007
  • Finishing off Phishing

    I was looking forward to writing more on Sales 2.0 this week.  Selling is something that I am keenly interested in but it will have to wait for another time.  I must have ADD because a call from a client set me off in another direction.

    My client called to talk about phishing and what they are doing to combat it and help their customers.  I am sure you already know that phishing is a technique that attempts to get unsuspecting Internet users to hand over sensitive information such as bank account and credit card numbers.  The thieves or cyber pirates who conduct phishing attacks use the account numbers to steal money and sometimes whole identities.

    At first blush it sounds like a good thing to take on phishing on behalf of your customers and you could even say it is noble.  Nevertheless, a little reflection made me think this nobility was like the charge of the Light Brigade — noble, but also doomed.

    I went to my files and dug up a column I wrote in 2005 about spyware and adware — back then those were the problems of the day. These rogue programs took over browsers and redirected them; they also inserted new start pages and sent a continuous stream of information about where a person has been in cyber-space back to a central group that harvested the information.  Eventually, the free market figured it all out and the firewall was born and became standard equipment for PCs.

    Individual action in the face of a problem like this — a free market approach — has a place but it is not always wise for any single company to take on such a diffuse threat.  The problem with this approach is that it is at best temporary.  Like any arms race one side reacted to the threat and the problem went away only to spring up in a different form.  The solution did nothing to dislodge the notion that rogue groups could roam the cyber frontier extracting information from people for nefarious aims.  As a result, the spyware and adware problem morphed into something more serious, phishing.

    In social science there are numerous examples of how when small crimes or activities on the edge of being crimes are left alone they breed a complicit environment where it is easier to perpetuate a larger crime.  The most famous law enforcement effort I am aware of involved the NYPD adopting a zero tolerance program for small crimes like people hopping the turnstiles in the subway to avoid paying.  When zero tolerance kicked in, the incidence of all manner of small crimes went down as well as larger crimes too.

    Back to spyware and phishing.  What was needed at the time — and is needed today — is legislation that makes it a crime to steal a person’s confidential information the way phishers do; zero tolerance for cyber piracy of any kind.  There is a bill, the Identity Theft Enforcement and Restitution Act making its way through congress right now co-sponsored by Senators Leahy, Specter and Durbin ( that might do some good and I recommend you look it up.

    Perhaps more important to getting something done today is the Anti-Phishing Working Group (APWG) ( which tracks and reports on phishing and offers some solutions to help protect individuals.

    Some of the information that comes out of APWG is not that encouraging and according to them, phishing attacks are on the rise.  In July of this year (the most recent statistics I can find) there were 30,999 unique phishing sites identified and 126 different brands were compromised.  That means brands like PayPal, Anazon, Bank of America and other high volume on-line transaction oriented businesses.  Also included in this list are most of the get rich quick emails you get these days from the national lottery of some foreign country and people seeking help to launder a few million dollars they happen to have lying around.  The good news, average life expectancy of a phishing site was 3.6 days, an all time low. 

    One of the most difficult parts of fighting phishing is that it’s a bit like the carnival game where you smack an alligator head only to see another spring up elsewhere.  It takes almost no time to launch a phishing site and operators can move them from one unscrupulous or dumb ISP to another in the blink of an eye.  With a typical phishing site up for less than 4 days it is hard to eradicate the problem.  It’s also why adding a site to a blocked senders list doesn’t work well.

    APWG advises people to never fill out forms on-line when invited to do so even if the invitation seems to come from a trusted vendor.  Moreover, vendors have more or less adopted a policy of not sending out email asking customers to do so, therefore a clear tip off that a phishing scam is up is the invitation itself.

    If you get phished, follow the simple directions from the APWG site:

    Create a new mail to

    1.      Drag and drop the phishing email from your inbox onto this new email message

    2.      In Netscape drop it on the ‘attachment’ area

    3.      Do not use "forward" if you can help it, as this approach loses information and requires more manual processing. The exception is when you use the Web interface to outlook: in that case forward is the only solution.

    So what’s the bottom line for CRM?  Just this:  You can’t build a futuristic on-demand economy if transactions can be counterfeited by pirates.  Attempts by individuals or even individual companies are doomed to fail because these attempts are simply battles in an arms race.  Phishing is bad enough — I for one don’t want to see what comes next.

    It’s time for companies to stop hiding and thinking the problem will go away.  It’s time for companies to stop worrying that to admit there is a problem will lead to customers thinking the Internet is unsafe.  It is unsafe and most people already know this.  It is time for all of us — individuals and companies — to band together and demand laws that will protect us when on-line. 

    The Leahy, Specter and Durbin bill is a good place to start.

    Published: 16 years ago

    Speak Up

    You must be logged in to post a comment.