Attempts and Impact of Phishing in Cyberworld




© Springer International Publishing Switzerland 2015
Mohamed Chawki, Ashraf Darwish, Mohammad Ayoub Khan and Sapna TyagiCybercrime, Digital Forensics and JurisdictionStudies in Computational Intelligence59310.1007/978-3-319-15150-2_4


4. Attempts and Impact of Phishing in Cyberworld



Mohamed Chawki , Ashraf Darwish , Mohammad Ayoub Khan3, 4   and Sapna Tyagi 


(1)
International Association of Cybercrime Prevention (AILCC), Paris, France

(2)
Department of Computer Science, Faculty of Science, Helwan University, Cairo, Egypt

(3)
Department of Computer Science and Engineering, School of Engineering and Technology, Sharda University, Greater Noida, India

(4)
College of Computer Science and Engineering, Yanbu Branch, Taibah University, Medina, Kingdom of Saudi Arabia

(5)
Institute of Management Studies, Ghaziabad, India

 



 

Mohamed Chawki (Corresponding author)



 

Ashraf Darwish



 

Mohammad Ayoub Khan



 

Sapna Tyagi




4.1 The Problem of Phishing


Phishing is the act of sending an email to a user falsely claiming to be an established legitimate business, in an attempt to scam the user into surrendering private information that will be used for identity theft. The email directs the user to visit a website where he or she is asked to update personal information, such as passwords and credit card, social security, and bank account numbers that the legitimate organization has already issued. The website, however, is bogus and set up only to steal the user’s information. Phishing combines the power of the internet with universal human nature to defraud millions of people out of billions of dollars (Lininger and Dean 2005, p. 1). Nearly every internet user has received a phishing email by now.

As recipients of phishing emails have gradually become wise to the scams, phishing has evolved into ‘SMiShing’ with offenders sending out computer-generated SMS (cell phone) texts to encourage recipients either to log onto a fake www site, or to call a number purporting to be their bank security department (Wall 2008, p. 20). Even more recently, SMiShing has evolved into ‘vishing’ which uses VOIP (voice over internet protocol) to send out the messages (Ibid). The main challenge that phishing poses is that the offence is individually minor and tends only to be serious in aggregate, and only then, when the stolen information is used against the owner (Ibid).

On such account, phishing is a serious crime that merits due consideration and adequate prevention and combating. Phishing may be committed in whole or in part by the use of information and communication technologies (ICTs), which dispenses with face-to-face physical contact and allows for distance counters. Historically, fraud involved face-to-face communication since physical contact was primarily the norm (Brenner 2004, p. 6). Even when remote communication—i.e., postal mail—could be used to set up a fraudulent transaction, it was often still necessary for the parties to meet and consummate the crime with a physical transfer of the tangible property obtained by deceit (Ibid). Nevertheless, the proliferation of ICTs has exerted a profound impact upon the nature and form of the crime, and has altered the mechanisms of crime commission (Chawki and Wahab 2006, p. 4). Nowadays, perpetrators can use fraudulent emails and fake websites to scam thousands of victims located around the globe, and will likely expend less effort in doing so than their predecessors (Ibid). This new form of automated or electronic crime distinguishes online virtual fraud from real-world fraud in at least two important respects (Ibid) (a) it is far more difficult for law enforcement officers to identify and apprehend online fraudsters; and (b) these offenders can commit crimes on a far broader scale than their real-world counterparts.

For a quick summary, phishing attacks trend around 15,000–18,000 for worldwide statistics.1 Since September 2010, there was a slight decrease although it appears to be ‘noise’ in the long run. A major change over the past year (since March 2010) is the shift in banks being used. Targets shifted from being primarily regional banks to nationwide banks. About 65 % of phishing attacks target nationwide banks, 30 % target regional banks and only about 5 % go after credit unions. There has been some fluctuation in these numbers, naturally.2 Each one tends to stay within roughly 5–10 % of the base number, excepted for the noted shift toward national banks. It should also be worth noting that phishing attacks are fairly spread out in the developed world. The United States is the biggest target with 37 % of attacks; the United Kingdom follows with 27 %, then South Africa with 15 %, China with 7 % and Italy with 3 %.3 Finally, online phishing does carry the seeds of a potential conflict between national legal systems due to the intrinsic transnational and cross-border implications of such crimes, and the relative variation and divergence of national and regional policies dealing with such crimes. Whilst national and international efforts are underway to establish harmonized and consistent national strategies and policies to combat cybercrime, global condemnation as well as adequate universal policies may not be achieved in the near future at least until all states recognize the importance of ICTs and the need for the existence of an adequate regulatory framework (Chawki and Wahab 2006, p. 5).


4.2 Impact and Harm Generated by Phishing


The effects caused by phishing are far-reaching, and include substantial financial losses, brand reputation damage, and identity theft (Trend Micro 2006, p. 5). The independent research and advisory firm Financial Insights estimated that in 2004, global financial institutions experienced more than $400 million in fraud losses from phishing. U.S. businesses lose an estimated $2 billion a year as their clients become phishing victims. In the United Kingdom, losses from web banking fraud—mostly from phishing—have nearly doubled from £12.2 million in 2004 to £23.2 million in 2005 (Ibid). Nor are financial losses the only impact to businesses. Lost consumer data files and disclosures of unauthorized access to sensitive personal data are taking a toll on consumers’ confidence in online commerce. Phishing’s effects are also adversely impacting businesses in several other ways, including (Ibid):



  • Possible legal implications if employees are attacked on company computers;


  • Potential regulatory compliance issues such as HIPAA, Sarbanes-Oxley, and others, if information breaches occur;


  • Significant decreases in employee productivity;


  • Impacts on IT resources, as phishing emails use storage space and reduce email system performance;

    Only gold members can continue reading. Log In or Register to continue