While trying to dig up the conversion rate for phishing attacks in the previous post, I stumbled across some very interesting findings from paypal on their anti-phishing techniques. Paypal has actually managed to put together a fairly decent anti-phishing program. Most importantly – it works! (It is amazing how many people implement anti-phishing strategies that don’t work). They have implemented a multi-pronged approach to combating phishing, smartly realizing that there is no single strategy that will work. You can read their whole white paper (which I highly recommend), but here are the highlights:

• Implement Sender Policy Frameworks (SPF).
• Implement DomainKeys Identified Mail (DKIM).
• Work with ISPs to enforce those previous two.
• Use EV certificates
• User education
• Publish blacklist data
• Block old browsers
• Offer two-factor authentication
• Pursue litigation against fraudsters
• Two factor authentication

Honestly this looks like a pretty good and fairly comprehensive anti-phishing program. Some of those things (SPF and DKIM in particular) are things which have had an immediate impact for Paypal, and should have an immediate impact for anyone who implements them. They can also be implemented for minimal cost. IMHO, the industry should be getting behind these initiatives big time as it will have an almost immediate positive impact on their bottom lines, as well as making users happier with less spam.

I know sms fishing attacks (known as smishing) are nothing new, but based on a recent smishing attack I received, it looks like combining phishing attacks with phone numbers has made it possible for attackers to increase the attack effectiveness. Previously, phishers went by the same methods that spammers popularized ages ago – send your message to as many people as possible, and try to make it applicable to as many people as possible. Given the low conversion rates (Gartner estimates 3.3%), you need it to be seen by many people in order to have a few successful scams. That’s why phishing attacks always seemed to attack places like Paypal and bank of America – they had more customers, and therefore more people getting the fake email were likely to be fooled.

With that in mind, I was surprised when I got the following text message a few weeks ago:

This is an automated message from Lafayette Credit Union. Your ATM card has been suspended. To reactivate, call urgent at 888-xxx-xxxx.

I had never even heard of Lafayette Federal Credit Union before, and found it odd that a scammer was targeting such a small financial institution. A few days later I got another similar message purporting to be from FedChoice federal credit Union – another small financial institution. What I soon realized though is that both of these credit unions are local to the Washington DC area, and my cell phone has a 202 (Washington DC), area code. The scammers have decided to improve their business model. They’re targeting credit unions around the country and only sending people attacks that purport to be from local credit unions. In this way they hope to increase their conversion rate by only sending people relevant attacks.