October 7, 2019
Don’t Get Hooked on Phishing
By Andrew Kennedy, BITS-BPI Cybersecurity Advisor to fTLD
Online businesses have been lamenting phishing for decades. Phishing not only harms the direct victims, but also erodes general consumer trust which impacts all online commerce.
The number of fake websites created each month has grown to 1.4M [i]. Over a million phishing campaigns are launched each year[ii]. One in 25 branded emails are phishing attacks[iii]. Phishing accounts for 90% of data breaches[iv].
Despite industry’s best efforts to contain phishing, focusing only on technology solutions continues to fall short. Ultimately, phishing is a ‘social engineering’ exploit, rarely taking advantage of technical vulnerabilities, but rather the flaws we have as human beings.
This isn’t to say we should stop developing technical solutions. In fact, we should press on with more fervor than ever. fTLD Registry Services (fTLD) is leading the charge in expanding anti-phishing technical solutions to the Top-Level Domain (TLD) by creating TLDs free of lookalike domains.
However, the picture has also emerged that augmenting technical solutions with more human focused solutions is required for improved outcomes. Traditionally, these human focused solutions come in the form of education. In the banking industry, employees are required to undergo Security Awareness and Education training programs, but few other industries have such requirements. Meanwhile the general public is typically left to self-educate, often after they become victims themselves.
Anti-phishing education itself is often a Byzantine process involving many steps:
Check the URL.
Check for security indicators.
Check the certificate itself.
Look for “Trust Marks”.
Check the domain using trusted third-party tools.
Check the domain’s “Whois” data to glean information on the domain owner.
Check the website to ensure there are no grammatical or spelling errors.
If the website has advertising, how invasive is it?
If you conduct these steps and the website passes, you should have high confidence (but not complete confidence) the website is legitimate. But who are we kidding? Very few, if anyone, is going to rotely follow each of these steps ahead of every online transaction they make.
Most reasonable people check the URL, and hopefully ensure the lock icon exists and, perhaps passively acknowledge a Trust Mark, should one be displayed. That’s it. Is this the best we can hope for from human focused solutions? Let’s hope not. In the meantime, the bank and insurance industries have developed a solution that recognizes the most common approach people take to identifying an inauthentic site. Instead of looking for hints of suspicion, look for what is always in the same place: the TLD, specifically .BANK and .INSURANCE.
What makes the .BANK and .INSURANCE TLDs so important? fTLD, the registry behind .BANK and .INSURANCE, enforces strict Eligibility Policies that prevent phishers and other bad actors from acquiring these domains. Every domain in .BANK and .INSURANCE is owned and operated by an independently verified and regulated organization.
When consumers confirm the existence of the .BANK or .INSURANCE TLD in their URL bar, or in the ‘from’ address of an email[v], they implicitly know they are in a safe part of the Internet, walled off from the untamed wild west. This is a simple message that customers would love to hear. Instead of a complicated routine to verify authenticity, one simple step would achieve the same goal.
Given trust is paramount for financial services firms and their customers, in the future web browser manufacturers, having seen no abuse in the .BANK and .INSURANCE namespaces, could go the extra mile and develop a native trust indicator built in the browser for these highly responsible domains.
Are you on a safe website? If the domain ends in .BANK or .INSURANCE, you have the highest assurance you are!
[v] Applicable to email service providers or clients honoring DMARC records