Video Screencast Help
Security Community Blog

Addressing the root cause of phishing

Created: 06 Aug 2009 • Updated: 06 Aug 2009 • 5 comments
Kevin Walsh's picture
+1 3 Votes
Login to vote

Many blogs on the Symantec website are very informative and visually explain - "what is phishing". These efforts have brought down the instances of user-mistakes (such as clicking URL in an email, submitting information to untrusted website etc..). But we have yet to see browser manufacturers addressing the root cause of phishing. Phishing is still a big concern for a new Internet user, especially kids. I see a parallel between usual phishing and Internet crime against kids. Both have same root cause - who can be trusted on the wild-wild-web? 

Explaining "phishing" to a layman: The Internet scammers develop a website which looks just like your bank or merchant. Then the scammer will send you an email that appear an official email from your bank or merchant. This email will ask you to approve a transaction you recently made, or re-verify some personal information by clicking a weblink. If you are not careful and click the weblink you may not realize that you have landed on a website developed by the scammer. Now this criminal can gain access to your personal information if you mistakenly log in to this fraud website. This act of fraud leads to online Identity theft and known as Phishing.

When it comes to elementary school age kids, phishing has a different perspective. Children often do not know better than to enter their personal information into forms online whether it is to register for a website or sign up for a chance to win a prize. So it is possible that details about your address, phone number, and other family information is being given to questionable websites. There are many softwares to safeguard kids on Internet. Government has also formally created some laws and guidelines (refer CIPA and cybersafety website of CA government). But,  no software has so far addressed the root cause, which are described in detail by messages from governments.

So far Internet browsers are addressing the Phishing similar to hunting - search and destroy. Technically they are creating a ever-growing database of phishing websites. The database keeps growing as users report a phishing website (such as phishtank.com). Technically this black-list approach is insufficient to address phishing. What we need is a solution that educate user about phishing by alerting them of phishing attempts. User should be able to fine-tune the settings by selecting key-words for the sensitive information, and creating white-list of trusted websites. This concept has been demonstrated by a free plugin for Internet Explorer. Though it is technically inferior and not available for other browsers, the idea of this solution is unique, powerful and effective.  I am looking forward to such a feature in major browsers and security sfotwares from companies like Symantec.

Comments 5 CommentsJump to latest comment

Jeremy Dundon's picture

The root cause of phishing is ignorance on the part of the end user and the way to address that is to educate.

I agree with you 100%.

In my experience, most people have to learn by falling for one or more scams before that education happens. It would be great if there was another way to teach them.

+5
Login to vote
Kevin Walsh's picture

Thanks for the one-line summary.
As you said, this has been my personal experience also - falling to one scam. Only then I started learning about it and came to know lots of tips from FCC, CA and Fed governments websites, as well as websites of microsoft and symantec. All these guidelines, education, tips can be considered a PRD for a software feature/solution. But none was available, until I found one over internet. But it was only for IE, and somewhat inferior technically - maybe because it is free :o)

+2
Login to vote
John_Prince's picture

Speaking solely on the aspect of kids being unaware, I would see this as more of a parental issue on educating and monitoring their kids' web habits rather than a product issue.

I can certainly see a need for software to assist with phishing, it seems there are many products on the market that are like this that have some sort of content filtering and white lists that are designed to limit where kids can go. This would go back to the parental part of educating and monitoring though, if they are being effective at this then I don't believe the software they put on will be effective either.

Whether or not Symantec can make a product like that that is effective and profitable...I am unsure.

Remote Product Specialist, Business Critical Services, Symantec

+2
Login to vote
Kevin Walsh's picture

I agree that it is parental issue. Parents and institutions try to educate kids by instructions, guidelines, post-it notes etc. All I wanted to see a small feature within all browsers. If not, then within major security softwares. I hate to advertise this adhoc effort that try to implement the guidelines for countering phishing as well as parental control specific to phishing; but here it is -- http://www.parentapproval.com
I used it on my home PC, and in last 6 months, there are 10-12 instances when my son came to me for requesting approval (many times it was for websites, where I do not want him to waste his time :o)

+1
Login to vote
Vikram Kumar-SAV to SEP's picture

I would have been a target of phishing a long time back...only if I had CitiBank Account...

I was directed to a fake Citibank Internet Banking page...I din't had a Citibank account at that time...So i reported the link to citibank..

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

+1
Login to vote