Introduction
The first recorded
In the field of computer security,
phishing is the criminally fraudulent
process of attempting to acquire sensitive
information such as usernames,
passwords and credit card details by
masquerading as a trustworthy entity in
an electronic communication.
Communications purporting to be from
popular social web sites, auction sites,
online payment processors or IT
administrators are commonly used to lure
the unsuspecting public. Phishing is
typically carried out by e-mail or instant
messaging, and it often directs users to
enter details at a fake website whose look
and feel are almost identical to the
legitimate one. Even when using server
authentication, it may require tremendous
skill to detect that the website is fake.
Phishing is an example of social
engineering techniques used to fool
users,and exploits the poor usability of
current web security
technologies.Attempts to deal with the
growing number of reported phishing
incidents include legislation, user
training, public awareness, and technical
security measures.
A phishing technique was described in
detail in 1987, and the first recorded use
of the term "phishing" was made in 1996.
The term is a variant of fishing, probably
influenced by phreaking,and alludes to
baits used to "catch" financial
information and passwords.
History
A phishing technique was described in
detail in 1987, in a paper and presentation
delivered to the International HP Users
Group, Interex.
mention of the term "phishing" is on the
alt.online-service.america-online Usenet
newsgroup on January 2, 1996, although
the term may have appeared earlier in the
print edition of the hacker magazine.
Phishing techniques
Phishing is another common internet
scam. This is a criminally fraudulent
process illegally acquires sensitive
information. It hacks passwords and other
pertinent personal information that can be
used to enter private accounts for
malicious intents.
It is usually done by electronic mail or
instant messaging. Phishing directs the
victim to enter their pertinent details in a
fake website. These websites are tricky
because they look legitimate and trusting.
Scammers get access to important details
when victims fall prey in entering their
personal information.
Such important details are used to cash
out money in the ATM or bank accounts.
You may use SSL that has strong
cryptography but it is still impossible for
the SSL to detect that the website is fake.
This is a social engineering technique
example. This is used to fool users and
abuse the usability of the web security
technology.
The phishing techniques were already
described as early as 1987 but it was first
recorded to have been used in 1996. The
term rhymes with the word fishing which
means to catch. Phishing catches the
financial and personal information of a
person, like passwords.
The following are the more common
phishing techniques often used:
Link Manipulation
Links are internet addresses that direct
one to a specific website. We usually
give out links to our personal blogs or
digital album sites to our friends and
family via emails or instant messages.
In phishing, these links are usually
misspelled. One or two letters make a big
difference and it will lead you to a
different, and often fake, website or page.
It is a form of technical deception.
Phishers use sub domains.
Another method of trickery in links is the
use of '@' symbol. This sign originally is
intended to include username and
passwords. These links are disabled by
Internet explorer but Mozilla Firefox and
Opera just presents warning messages
that are sometimes not easily noticed.
Aside from this, there is also what we
called the Internationalized domain
names (IDN) spoofing or the homograph
attack.
Filter Evasion
This is the use of images instead of texts.
Through this, anti phishing filters will
find a hard time to detect the emails.
Website forgery
There are some phishing scams that use
JavaScript commands to alter an address
bar. This directs the user to sign in at a
bank or service of the phisher. This is
where he will extract information from
you.
The Flash-based websites avoid anti
phishing techniques. This hides the text
to a multimedia object.
Phone Phishing
This is done by using a fake caller ID
data to make it appear that the call came
from a trusted organization. The operator
of the phone who answered your call will
ask you to give your account numbers
and passwords.
There are many other phishing
techniques. Some have developed
counter-phishing techniques already but
scammers continue to invent still newer
tricks. Always be alert and never trust to
give your most private details easily.
Damage caused by
phishing
Phishing has four distinct types of
impact, both domestically and
internationally, that are of concern to the
commercial and financial sectors and to
law enforcement in both countries:
• Direct Financial Loss. Depending
on the type of fraud that a
criminal commits with the aid of
stolen identifying data,
consumers and businesses may
lose anywhere from a few
hundred dollars to tens of
thousands of dollars. Indeed,
small e-commerce businesses
may be particularly hard-hit by
identity fraud. For example,
because of credit card
association policies, an online
 merchant who accepts a credit
card number that later proves to
have been acquired by identity
theft may be liable for the full
amount of the fraudulent
transactions involving that card
number.
• Erosion of Public Trust in the Internet.
Phishing also undermines the public’s
trust in the Internet. By making
consumers uncertain about the integrity
of commercial and financial websites,
and even the Internet’s addressing
system, phishing can make them less
likely to use the Internet for business
transactions. People who cannot trust
where they are on the World Wide Web
are less likely to use it for legitimate
commerce and communications.xx
This perspective finds support in
a 2005 Consumer Reports
survey, which showed declining
confidence in the security of the
Internet. Among several findings,
the survey found that 9 out of 10
American adult Internet users
have made changes to their
Internet habits because of the
threat of identity theft, and of
those, 30 percent say that they
reduced their overall usage.
Furthermore, 25 percent say they
have stopped shopping online,
while 29 percent of those that still
shop online say they have
decreased the frequency of their
purchases.xxi
• Difficulties in Law Enforcement
Investigations. Unlike certain
other types of identity theft that
law enforcement agencies can
successfully investigate in a
single geographic area (e.g., theft
of wallets, purses, or mail),
phishing – like other types of
crime that exploit the Internet --
can be conducted from any
location where phishers can
obtain Internet access. This can
include situations in which a
phisher in one country takes
control of a computer in another
country, then uses that computer
to host his phishing website or
send his phishing e-mails to
residents of still other countries.
Moreover, online criminal activity
in recent years has often
reflected clearcut divisions of
labor. For example, in an online
fraud scheme, the tasks of writing
code, locating hosts for phishing
sites, spamming, and other
components of a full-scale
phishing operation may be
divided among people in various
locations. This means that in
some phishing investigations,
timely cooperation between law
enforcement agencies in multiple
countries may be necessary for
tracing, identification, and
apprehension of the criminals
behind the scheme.
• Incentives for Cross-Border
Operations by Criminal
Organizations. Law enforcement
authorities in Canada and the
United States are concerned that
each of the preceding factors also
creates incentives for members of
full-fledged criminal organizations
in various countries to conduct
phishing schemes on a
systematic basis. Law
enforcement already has
indications that criminal groups in
Europe are hiring or contracting
with hackers to produce phishing
e-mails and websites and
develop malicious code for use in
phishing attacks.
Responses to Phishing: Current and
Promising Practices
Private-sector entities and government
agencies in Canada and the United
States have undertaken a growing
variety of measures and initiatives to
combat phishing. As explained below,
many of these measures and initiatives
are multi-sectoral, multi-jurisdictional,
and multi-agency, and extend beyond
law enforcement entities.
Public Education
Because phishing is a form of identity
theft that differs substantially from other,
physically-based identity theft
techniques, government and the private
sector need to ensure that the public
receives regularly updated information
about the latest phishing techniques and
how to recognize them. At the May 2003
Cross-Border Crime Forum, PSEPC
(then the Department of the Solicitor
General of Canada) and the U.S.
Department of Justice jointly issued two
public advisories on current trends and
developments in identity theft: one
directed at consumers and the other at
retailers. The advisories highlighted
some of the most significant forms of
identity theft in Canada and the United
States, explaining how to recognize them
and how to respond. Since then, various
Canadian and U.S. law enforcement
agencies have widely disseminated
phishing-related information to the public.
For example, the U.S. Department of
Justice issued a special public advisory
on phishing in 2004,xxiv the U.S. FTC
issued a consumer alert on phishing in
2005,xxv and the RCMP has recently
posted information about phishing and
vishing on its website.xxvi
Authentication
Although consumer education programs are
an important component of the fight against
phishing and other forms of identity theft that
involve “social engineering,” they will not
suffice to provide adequate protection for the
public as phishers continue to refine their
attack techniques. The private sector needs to
continue its efforts to improve authentication
technologies, and to deploy multifactor
authentication measures as appropriate, to
strengthen the confidence of Internet users in
the reliability and provenance of online
messages they receive. Greater industry
efforts towards standardizing how enterprises
will communicate with their clients (e.g.,
what information they will use for
authentication purposes and under what
circumstances they will request it) may also
be important in addressing this issue.
Legislative Frameworks
A strong legislative framework is also
fundamental to combating identity theft,
and specific mechanisms and/or
methods used to that end such as
phishing. In Canada, there are currently
no offences in the Criminal Code that
directly prohibit or apply to phishing or
other methods of obtaining identity
information for a criminal purpose. If a
phishing attack is using large volumes of
“spam” (unsolicited e-mails) that could
interfere with a computer system, or if
the spam employs deceptive headers so
as to avoid spam filters, then certain
computer data related offences in the
Criminal Code may apply. The use of
identity information that has been
obtained whether by phishing or by other
means, could however amount to any of
a number of criminal offences, such as
fraudulent personation, fraud, or unlawful
use of credit card data. The Department
of Justice began several years ago to
review the Criminal Code to determine its
adequacy for dealing with the growing
problem of identity theft. The Department
has begun developing proposals to
address some of the limitations of the
criminal law in this area and consulting
with key stakeholders to obtain their
valuable input on legislative
amendments.
Another recent development in Canada
with implications for phishing-related
legislation was the 2004 launch by the
Government of Canada of An Anti-Spam
Action Plan for Canada and the
establishment of a government-private
sector task force to oversee and
coordinate its implementation. In 2005
this task force was asked to produce a
report on the status and progress that
had been made. The report that they
produced, Stopping Spam: Creating a
Stronger, Safer Internet, set forward 22
recommendations to combat spam,
promote public awareness, and restore
confidence in e-mail. They also set
forward best practices for Internet
service providers and other network
operators, and for e-mail marketing.
Additionally, they recommend that
legislation be enacted to prohibit certain
forms of spam and other emerging
threats to the safety and security of the
Internet (e.g. phishing), and that a
federal coordinating body should be
established to deal with the spam issue
on an ongoing basis.xxvii This is important
for the phishing issue because phishing
is usually accomplished through the
technique of spamming, which is the
sending out of unsolicited bulk e-mails. In
the case of phishing, spam routinely
allows criminals to distribute their
fraudulent e-mails to many consumers at
minimal cost.
In the United States, since 1998 federal
law, and laws in nearly all of the states,
have adopted specific criminal legislation
on identity theft that can be applied to
phishing.xxviii In addition, federal
authorities can use a variety of federal
fraud offences, such as wire fraud,xxix and
the CAN-SPAM Act,xxx to address both
the sending of phishing e-mails and the
use of deceptive e-mail headers or other
techniques characteristic of criminal
spam. Currently, at the direction of
President Bush, the President’s Identity
Theft Task Force is preparing a strategic
plan to combat all forms of identity theft
more effectively, including possible
changes in legislation where appropriate.
That plan is expected to be submitted to
the White House in early February 2007.
Enforcement
An effective and comprehensive response to
identity theft requires the investigation and
prosecution of appropriate cases involving
phishing schemes
Conclusion
Phishing is a form of criminal conduct that
poses increasing threats to consumers,
financial institutions, and commercial
enterprises in Canada, the United States, and
other countries. Because phishing shows no
sign of abating, and indeed is likely to
continue in newer and more sophisticated
forms, law enforcement, other government
agencies, and the private sector in both
countries will need to cooperate more closely
than ever in their efforts to combat phishing,
through improved public education,
prevention, authentication, and binational
and national enforcement efforts.
While phishing is a particular threat on its
own, it is also important to recognize that
the challenges posed to policy makers
and law enforcement officials in regards
to phishing are those reflected in the
larger issue of identity theft as well.
The Report on identity theft presented to
the Binational Working Group on Cross-
Border Mass Marketing Fraud in October
2004 sets out recommendations to
address the threats posed by identity
theft, including coordinating public
education initiatives, enhancing reporting
mechanisms and enforcement, reviewing
legislative frameworks and improving
document and data integrity and security.
This report further endorses those
recommendations in support of the fight
against phishing and identity theft as a
whole. In response to those recommendations
governments in both countries will continue
to work together in an effort to reduce
phishing and identity theft.