Two weeks ago, I talked with security researcher Brendan O'Connor, who demonstrated how new online banking controls can be defeated by phishers. This week, Bassam Khan, vice president of marketing for Cloudmark, provides information on the chilling effect phishing is having on online commerce. Cloudmark, a messaging security company, asked the polling firm of Harris Interactive to contact 2,000 people about their experiences with online phishing. The survey, out this week, provides a snapshot of what's really happening and the ways in which online phishing has begun to alter the behaviors of those shopping online.

When is an attack not an attack?
Khan told me up front that a phishing attack is really not an attack. "If you think about, it's not really an attack on the institution; it's more of an attack on the individuals. Institution's systems are pretty locked down. It's very hard for an individual to hack into a bank system directly."

A user is much more vulnerable to phishing attempt; they're much more vulnerable to giving out information. Because someone has taken the effort to design a fraudulent site that looks like your bank's, it may even act like your bank's, so it looks like the attack is on the bank. Khan says "it's an attack on an individual, because they will give up their personal information."

	A phishing attack is really not an attack. "If you think about, it's not really an attack on the institution; it's more of an attack on the individuals," said Khan.

How much is enough information?
The Harris Interactive survey found that one in seven people surveyed have given personal information. "We were pretty surprised about that. These are people who are going in and typing in personal information, even though it is optional. It might be a newsletter you sign up for, it could be something else you sign up for that just needs your e-mail maybe, but a lot of people--7 percent is a pretty significant number in the broad scheme of things--are going in and typing in all of the fields that they're being presented with."

"Look at the attackers, their business model--they actually have a business model; it's not just some person sitting in a garage, this disgruntled person, it's a business that they're running--and within that environment, the attacker's goal is to send out as many of these as possible. Get a large enough pool of people that are getting these infected attachments, eventually you'll get a large number that will click the link."

Bank aren't only targets
Yet a recent check on the DSL Reports Phishtracker site shows that phishers target nonfinancial sites as well. "So the goal (here) is to get credit card information [from] the person, and obviously use the credit card in their own way. What's interesting, one of the really interesting things that came out of this that we weren't really expecting this kind of result out of the survey, was the potential impact on Internet commerce." And Khan said there's both good and bad in the Cloudmark report.

The Harris Interactive survey found that one in seven people surveyed have given personal information. "We were pretty surprised about that," said Khan.

Of the good, about 70 percent of the people surveyed had changed their online behavior. But of that 70 percent, 20 percent said that in the future they'd decrease the amount of transactions that they do online, or do more double-checking before they complete the transaction. Khan supports the double-checking, but doing fewer transactions online, with a number as large as 20 percent, "that could have tremendous impact on Internet commerce. That gets to the crux of this research." Khan says the call to action from this report is on better educating the user.

Antiphishing tips
Here are 10 antiphishing tips from Cloudmark, in association with Carnegie Mellon University:

1. Do not open e-mails from unknown senders. (Spam e-mails can contain reply scripts that inform spammers that your e-mail account is active and that you click links.) Instead, delete and expunge them from your inbox.
2. Do not assume the e-mail came from the person in the "from" field of the e-mail. E-mail addresses are often and easily spoofed.
3. Never open an unsolicited attachment or click a link without verifying the sender.
4. Do not enter personal information on Web pages unless you know the site and it is necessary. You should also avoid putting personal information (for instance, phone number, snail address, social security numbers, and so forth) on social networking sites such as MySpace and Facebook. The more personal information you put on the Web, the easier it is to steal your identity.
5. Choose different passwords between school applications, social nets, banks, and so on. and change them every 6 to 12 months.
6. E-mail claiming that there is a problem with an account, that you owe money, or that you are owed money, should be validated with a phone call or an e-mail to the appropriate party. Never use the information in the e-mail for contacting the party, look it up yourself.
7. Use an alternate e-mail address for your banking information that you do not share elsewhere. This will help you to avoid confusion when receiving inbound e-mails regarding banking accounts and also better protect your personal information.
8. Set up a spam filter that will weed out e-mails with malicious coding (designed to infiltrate or damage your computer without your consent).
9. College students and faculty should install protection software before they get to campus. Students bring laptops infected with all sorts of contagions to the interior campus network, circumventing all firewalls and edge defenses.
10. Be proactive and stay aware of current e-mail scams. Many educational institutions and IT publications report on current trends and spreading e-mails scams.

You can hear more of my conversation with Bassam Khan on this week's Security Bites podcast.

Have you changed your online habits as a result of phishing? TalkBack to me.