Solution To Phishing: Ignore All Requests For Info
from the email's-dead-for-info-requests dept
As people are trying to come up with a "solution" to the phishing problem, it appears some people have come up with a perfectly workable solution: don't respond to any email asking for personal info, no matter how legitimate it looks. Part of the problem is that the phishing scams are very, very realistic looking. However, a bigger part of the problem is that banks and other companies don't take the threat seriously. Thus, they end up sending out mail that looks just like the mail phishers send. Because they still send out emails like this, they're effectively killing email as a channel of reasonable communication about account info. People are simply going to default to ignoring everything, just in case it's a scam.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
phishing
I told them one thing they should do is send out all emails with HTML and with only text links. If everyone saw the exact URL, and could not be fooled by highlighted URLs that were different from their links, then that would cripple one method the phishing people use. the URL that is highlighted (usually blue) says one thing and the actual link is something like "http://65.whatever/ off in north korea, or nigeria.
they said that I could tell because it had their logo and some of my personal info in it that the phish ads would not.
i pointed out if someone had obtained that i had one of their cards, they could send out phish ads with 99% of what they had in their ad (only need to get my email address, and send me a phish email with each of about 10 or 15 major credit card issuers, and they are bound to hit the one I have.
Jim
[ link to this | view in chronology ]
There is a solution
[ link to this | view in chronology ]
Re: There is a solution
The only question I see is why does the bank need to send me an ordinary email telling me to look at the web site when I am perfectly capable of going there when I wish w/o that.
As I said earlier if they want us to go to their portals or web sites, or programs that do direct banking, don't send a link integrated right into the thing to go to that site. And explain that no email will ever point to the portal, ever, you have to figure your own way out to get there.
Then the phishing guys are out of business if someone is directed to a site that solicits their personal info.
your solution would still solve nothing if an innocent was directed to go check their capango account and were scammed out of the necessary info that way. still screwed.
[ link to this | view in chronology ]
Re: There is a solution
Banks may want to notify customers of any various items and they cannot just wait for the customer to visit the web site. Online banking, with approval proceses, is a classic example.
The private email network allows institutions to send information via a private email that cannot be spoofed. So the customer knows exactly what to look for in the private email. It is built-into the network system, not just an HTML tag in an SMTP email.
And this goes well beyond just your bank. Think of insurance, loans, credit card, and so many other trusted institutions that want a two-way electronic communication channel. Don't give that up just because the first try at it (the public "@" email system) failed. We just need to evolve.
[ link to this | view in chronology ]
Re: There is a solution
I hear what you are saying. I think you overlook that you and I as obviously more serious computer users, or at least serious enough to come back to this thread in a timely fashion, tend to look at email and probably interesting web sites quickly. probably 50 % of those I help and mentor won't go to their email any faster than a bank web site, so the medium as you say is not the problem. People may evolve, but I say that they can go to the web sites with security better than they can rely on crap drifting into their inboxes, like the current email system.
If you have to go to a web site, now you can get a secure connection that you initiate, and therefore can trust.
I will resist for a long time anything that comes to my email inbox and I have to wave a wand over to verify.
A system to do what you wish to have people do, and what I do by hand now, is not yet invented or thought of, or there would be another internet millionair out there now.
Looks like sendmail and yahoo are doing something, but I have not looked at it.
I reject having a commercial entity, or to any of these pay to send schemes in my email system. We'll end up with the same crap we have with ATM's debit cards, and no security there, and it still will cost $$.
Jim
[ link to this | view in chronology ]
E-billing can solve phishing!!!!
Companies are able to use business rules to personalize every aspect of their communication. This includes highly targeted offers, rather than generic bill stuffers that no one ever reads.
Companies can also conduct surveys [and] send out newsletters or service-change notifications.
[ link to this | view in chronology ]