Phishing is far worse than spam. Spam is easy to identify and filter. Phishing, on the other hand, often looks exactly like an email from some company you know. The most common ones I get are ebay and paypal ones. I also get a splattering of bank ones, some even from banks I don't have accounts for.

The worst kind, though, are the ones that announce a new product or service at a new URL and explain that it's OK to login at this new URL because it's a new service. Brilliant. I have to wonder just how many people get hung up on that type.

This is also sharply eating into my trust of receiving statements or statement notices via email. I'll never click on the links in them -- not anymore, at least. Even if they do list the "last 4" of your account, there are only 10,000 possibilities there, so it could be wrong. Given a phishing email of say, 10,000,000 recipients the odds are if they use a single 4-digit number it'll match at least 1,000 of the recipients, assuming an even distribution.

So what is to be done about this problem? First, you have to learn how to recognize them. Typically this means checking the headers and seeing if there are any strange domains in them. This, of course, is easiest for techinicaly people -- others will see all domains as strange and the format of the headers daunting.

Second, you have to report them. Every single one of them. Yes, even duplicates. Each time I receive one, I forward a copy of it and an attachment of it to the apppropriate email address (spoof@ebay.com, spoof@paypal.com, phishing@..., etc). I then delete them. I usually get responses say either they are looking into it and yes, it really was a spoof.

So, the way I figure it, if everyone sent a report in the company would have to increase the resources spent on responding to them. This would also mean increasing technology to prevent them from being so successful and lobbying for laws to make the penalties harsh (much harsher than spam).

See, taking the example above of 10,000,000 mailings out daily we can make a difference. If every single person on the list forwarded a copy of the phishing email to the company, they would have to process each one and send out an email. Take a typical phising email of 20 kilobytes. That means the spammer is sending out 190 gigabytes a day. Assuming a response email of 15 kilobytes from the company, they would have to be able to handle 9.9 terabytes of transfer each month. That sort of bandwidth doesn't come cheap.

Thing is, I usually get 4-5 phishing emails a day from multiple different sources. The numbers above could easily be 10-100x what I've estimated. The phishers are using a tremendous amount of bandwidth. And since bandwidth like that doesn't come free, they must be making money somehow.

Of course, making money that way is completely illegal, as opposed to selling a product through spam which is legal. So these guys already do fall under other laws, which is great. However, it's clearly not enough.

If ebay had to deal with 100 million phishing report emails everyday, do you think they would do anything about it? What about a small bank? This sort of attention could bring down a small company.

Anyway, just my thoughts. It wouldn't be possible to have every phishing email result in a report, especially since certain types of spam catchers will easily detect them. For instance, gmail can detect phishing emails easily -- and reports them as such, even if they don't go into the spam folder.

Posted by Shane on September 17, 2005 6:18 PM | Permalink