I direct the journalism school at Iowa State University, where professors are among the most astute about the increasing specter of online risks, including "phishing." But even in this informed, digital environment, one of my journalism professors was lured by a fraudulent e-mail message and came close to having his bank account drained.
Phishing is an attempt at cybercrime. It is also a subgenre of spam -- replete with logos from such corporations as Pay Pal, eBay, and Wells Fargo -- typically notifying e-mail recipients about "suspicious" use of an account and directing them to a link so that they can input personal data, including account numbers and passwords. Despite the investment in spam filters and procedures at college technology centers, phishing e-mail still manages to bypass IT watchdogs at some of our most security-minded institutions, including my own.
When I complained about this to our Solution Center, I was told to adjust my spam filter. So I and other professors obliged. As a result a few timely e-mail messages got sent to the digital trash heap, including one with the subject header “Wolfgang’s Offer,” in reference to a grant opportunity from Wolfgang Kliemann, our associate vice provost for research.
The spam filter probably associated the subject line with a pitch to buy music composed by Wolfgang Amadeus Mozart.
We readjusted our filters accordingly, and the phishers infiltrated our e-mailboxes.
All of us have received this kind of e-mail, of course. And most are easy to dismiss until the right set of circumstances combine: a message carrying the logo of a bank where you happen to do business and a service that you happen to use, which hooked our professor with a subject line that read: “Possible fraud to your account. Please answer.”
Here is the message that he received:
Our department recorded a payment request from Expedia - Online Travel Agency to enable the charge of $619.49 on your account. This amount is supposed to cover the cost of a 5 days reservation (25-30 October / 2004) at a Five Stars Hotel located in New Delhi / INDIA.… THE PAYMENT IS PENDING FOR THE MOMENT. If you made this reservation or if you just authorize this payment, please ignore or remove this email message. The transaction will be shown on your monthly statement as "Rama Bangalore-Hotel". If you didn't make this payment / reservation and would like to decline the $619.49 billing to your card, please follow the link below to deny the payment. We apologize for any inconvenience this may cause, and appreciate your assistance in helping us maintain the integrity of the entire Wells Fargo system.
He bit the bait. He also agreed to tell his story to Inside Higher Ed, but without use of his name. "As you read the message," he says, “you’ll see the sense of urgency it conveyed. Without thinking, I opened the message” which led to “an official looking Wells Fargo page, with the colorful stagecoach banner across the top and a request for my account number and password.
"I typed both in. I immediately received a message saying my password was incorrect, please try again. Which I did. I must have attempted to use in every password I have ever used in my computer life. After about the fifth rejection," he says, "a light went on in my brain—I shouldn't be giving out my password!"
Panic set in. He envisioned his checking account being cleaned out. He contacted Wells Fargo, which issued a fraud message. A representative urged the professor to close his bank account.
Michelle Scott, vice president of public relations for Wells Fargo, says the company takes phishing seriously. It has an ongoing public education campaign and last year launched a comprehensive Web site for fraud prevention, detection and resolution.
"Thankfully, I didn't lose any money," the journalism professor and Wells Fargo customer says, "but I did have to throw away two boxes of checks and open a new account. I also had to reissue a couple of checks I had written to pay bills."
Our professor acted quickly and lost no money. But that isn’t always the case at research institutions with large online populations. For instance, five students and two staff members at the University of Michigan fell victim to a phishing scam, as reported by The Michigan Daily. The student newspaper, in another article, noted that "people reported having large sums of money disappear from their bank accounts."
In the aftermath of these incidents, Paul Howell, chief information security officer at Michigan, received dozens of inquiries asking what people can do to stop the e-mails. "The answer to this question usually lies in anti-spam technology," he says. "And when that fails, awareness and education are the next best defense."
Most of us believe we will never succumb to a phishing ploy, especially since so many of them are easy to spot as frauds, thanks to the idiosyncrasies of the English language -- which can be more effective in filtering spam than current high-tech methods. A quick sampling:
- "Please follow steps for verification process" and "visit Regions Bank Security Center,” from a cyberthief who has yet to master use of definite articles.
- "If your account informations [sic] are not updated within the next 72 hours, then we will assume this account is fraudulent and will be cancelled [sic].… We apreciate [sic] your support and understading [sic], as we work together to keep eBay a safe place to trade” -- from a cyberthief who cannot spell or do syntax (the grammatical kind).
- "It came to our attention that your account may be suspected of fraud. We ask our users with exposed accounts to confirm their identity with PayPal every once in a while, in order to upkeep the safety of our environment," from a cyberthief who opened his thesaurus to “periodically” and chose “every once in a while.”
We can chuckle about such e-mail, especially if we do not do business with these corporations. On the other hand, says Jane Drews, information technology security officer at the University of Iowa, “Some of these phishing e-mails are amazingly believable.”
In fact, one from eBay looked remarkably genuine up until this sentence: "Please update your records by the 15th of Mai."
“Mai” is German for “May.”
I asked our computer support specialist, Jeremy Haubrich, to trace the path of the e-mail message, betting it came out of Germany.
The message, he said, was sent through a California-based direct marketing firm that has an anti-spam statement on its Web site. "So they would probably be interested to hear that one of their customers or some illegitimate user is sending phishing mail through their system," he added, noting that "all of this is conjecture" since domain names can be forged. "By the way," he added, the message claims to be from the California firm, but the address it was sent from "appears to be some sort of German communications company with a Web site that looks like it hasn’t been updated since the mid-90s."
I sent the phishing email to the California firm, receiving this reply: “This definitely looks like it was masked by the company in Germany.”
We may have located the country whence the offending emails came, but there was little anyone could do immediately about the situation.
Fred B. Schneider, a computer science professor at Cornell University and director of the Information Assurance Institute, states, "It is notoriously difficult to trace a forged e-mail’s return-address back to the actual sender, because the Internet protocols were not designed to protect against return-address forgery."
In light of that, Schneider believes that spam filters are the answer (at least in the short term). "To prosecute phishing requires finding the perpetrator, whereas to filter and remove phishing e-mail at receiver sites do not -- it just requires that spam filters be installed and kept current." Moreover, he adds, using filters "is a local action, which can be taken by IT technical staff," whereas prosecuting phishers is external and complicated. "Self-determination is a comfort."
Other IT security chiefs concur with that assessment, including Michael Bowman, information security officer at Iowa State. "We try to keep the community aware of phishing schemes and the problems with spam in general," he says, putting security notices on university Web sites and occasionally working with student journalists at the ISU Daily. Nevertheless, Bowman admits, "It is a challenge to publicize a new scheme before someone receives the phishing e-mail."
Michael G. Carr, chief information security officer at the University of Nebraska, notes that his institution also treats phishing as spam “and tries to prevent such communiqués from ever reaching an e-mail inbox.”
While phishing is a subgenre of spam, Carr concedes, and "may very well be statutorily defined as a type of fraud or attempted fraud," reporting such activities to law enforcement has not been effective because of:
- Jurisdiction. “Generally, phishing originates outside the state of Nebraska and, usually, outside the United States. Consequently, local law enforcement and the state Attorney General’s office, while interested in preventing these types of crimes, do not have jurisdiction over the culprits.”
- Amount of damages. "If end users are alerted to phishing schemes and are aware of how to not become victims, then there are no actual monetary damages. The result is an attempted fraud similar to an attempted burglary where the crook jiggles the door knob, finds the door locked and moves on. Right or wrong, most security professionals see phishing as a ‘no harm, no foul’ issue."
- ROSI. "The Return on Security Investment does not necessarily warrant the time, cost and energy to research the phishing origins and report the incidents to law enforcement because of the aforementioned reasons."
The ROSI factor can increase along with the level of risk if the phishing process -- little likelihood of prosecution, a lock-your-door philosophy, and a proved method to bypass filters -- is used to tap fear instead of a person’s bank account. Would IT security respond more vigorously if the same process was used to disseminate messages en masse that affected institutions psychologically rather than a few individuals financially?
I can’t get too specific here because of ethical reasons. Suffice to say that in the past institutions have acted swiftly to track racist threatening e-mail messages sent within the United States; but other scenarios from abroad, where most phishing e-mail messages emanate, now are possible. After all, sparking fear in the populace is a priority of enemies of the state, and as such, research institutions might contemplate securing grants from Homeland Security to patch the breached spam filter system before it is used against universities with sensitive government contracts.
Paul Howell at Michigan and Jane Drews at Iowa agree.
"I think your question is a good one," Howell states, "in that it would likely prompt more discussion around preventative measures.
"I don't know what the ultimate solution is," Howell adds. "Perhaps digital signatures will be implemented and people will not accept e-mail from those (whose identity) they can't authenticate."
Jane Drews believes that the “answer has to be ‘yes’ to your question” about the phishing process afflicting fear instead of financial loss. What you are suggesting,” she continues, “is where, what, and how shifts in the equation occur.” An increase in “fear, uncertainty, doubt or other psychological issue, or for that matter any kind damage,” is likely to spur “an increase in resources to detect, track, prevent, and prosecute.”
“Don’t misunderstand,” she concludes, “people are working hard to counteract this threat. But I believe the most successful way today is through education. Technology solutions to counteract the threat will surely become more successful, too.”
Michael Bugeja is the author of Interpersonal Divide: The Search for Community in a Technological Age (Oxford University Press). His last column examined Duke's iPod experiment.