Internet Fraud: Preventing and Responding to Phishing and Spoofing Scams

Publication year2008
Pages0030
CitationVol. 49 No. 2 Pg. 0030
New Hampshire Bar Journal
2008.

2008 Autumn, Pg. 30. INTERNET FRAUD: Preventing and Responding to Phishing and Spoofing Scams

New Hampshire Bar Journal
Volume 49, No. 2
Autumn 2008

INTERNET FRAUD: Preventing and Responding to Phishing and Spoofing Scams

By Attorney Douglas Whitlock

INTRODUCTION

Internet fraud, by conservative estimates, accounted for $320 million in 2007.(fn1) The threat to your clients' businesses and to your own legal practices is real and substantial. The purpose of this article is (i) to familiarize you with the widespread Internet fraud schemes known as "phishing" and "spoofing," (ii) to provide you with practical guidance for preventing Internet fraud, and (iii) to provide you with a template for responding to Internet fraud should it occur. Technical guidance as to specific computer strategies for preventing Internet fraud is beyond the scope of this article and should be addressed with a business organization's information technology consultants.

UNDERSTANDING THE PROBLEM

The most common and preventable Internet fraud schemes involve a combination of "phishing" and "spoofing."(fn2) These schemes use e-mail as an essential element of deception.(fn3) Other Internet fraud schemes such as "pharming" do not rely on e-mail responses, but instead use sophisticated virus and worm technologies to attack a computer system and trick the Internet browser on a computer system into connecting to a fake or "spoof" website.(fn4) As noted above, the focus of this article is on "phishing" and "spoofing," but the prevention and response tips suggested in this article below generally apply to other types of Internet fraud schemes.

Phishing and Spoofing

"Phishing" is a type of Internet fraud where perpetrators send deceptive spam e-mails seeking personal information from the recipients.(fn5) The e-mails are disguised so that the address and content appear to be from a legitimate source such as a well known bank or other financial institution. (Note that phishing scams may involve other impersonated entities such as, for example, PayPal or eBay.)(fn6) The contents of a phishing e-mail typically request the recipient to update or otherwise provide information by clicking on a link contained in the text of the e-mail.(fn7) Estimates as to phishing e-mail response rates vary between 1 percent to as high as 20 percent.(fn8) The link will usually contain the name of a legitimate bank or other financial institution being impersonated. The link, however, connects the recipient to a fake or "spoof" website that the perpetrators operate. The spoof website is designed to look and operate like the real website of the organization being spoofed.(fn9)

Once at the spoof website, the victim is tricked into providing confidential information about their business organization such as bank account numbers, employer identification numbers, account information, and passwords. The perpetrators of a phishing scam then use the information to access the business organization's accounts and withdraw as much money as possible, as quickly as possible.(fn10)

A spoof website uses the logos, content, and general design of the legitimate institution it is impersonating in order to trick the visitor into believing that he or she has linked to the legitimate website. Often the perpetrators will copy website content directly from a legitimate site. A spoof website will also usually contain warning information (which often is also found on the legitimate site) about how to prevent Internet fraud, which makes it more convincing to the victims.(fn11) Even though phishing e-mails and spoof websites can be very similar (if not identical) to legitimate sites, many often contain telltale signs that they are illegitimate, which go unnoticed by the victims of phishing and spoofing. The telltale signs include misspellings, words capitalized incorrectly, bad grammar, and a "look and feel" that is noticeably different than the legitimate website.(fn12)

Given the daily barrage of spam e-mails (many of which slip through sophisticated spam e-mail filters), business organizations should take measures to educate staff about phishing and spoofing and to implement best practices for prevention of Internet fraud, as discussed in this article below.

PREVENTING FRAUD

Whether or not a business organization has installed anti-spam software (and otherwise taken technology based measures to prevent phishing and spoofing), some phishing e-mail will make it through such defenses and find its way into the employees' e-mail inboxes. The perpetrators of Internet fraud are constantly looking for ways through and around anti-spam computer defenses. So, a key method for preventing business organizations from being victimized...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT