FTC pushes e-mail standard

Treasury report on phishing

Related Links

A sharp rise in phishing attacks has prompted Federal Trade Commission officials to call on technology industry leaders to adopt an electronic authentication standard for Internet e-mail.

Industrywide adoption of such a standard could reduce the number of phishing victims, Sana Coleman, an FTC attorney, said last week at a Capitol Hill briefing on phishing. Internet e-mail companies and Internet service providers are all working on various authentication schemes to thwart phishing scams, she said.

Phishing victims receive e-mail notifications that appear to be from a well-known company or federal agency. In a recent study of the problem, officials at VeriSign Inc. found that 93 percent of all phishing attacks are sent from forged or spoofed e-mail addresses. Phishing is the latest incarnation of identity theft schemes.

Unsuspecting citizens who fall for the scam are redirected to a fake but realistic-looking brand-name Web site. If an e-mail message directs users to a URL containing an ampersand, the message most likely is the first stage of a phishing attack, said Dan Caprio, deputy assistant secretary for technology policy at the Commerce Department, who also spoke at the briefing. Americans for a Secure Internet, a coalition of e-commerce companies, trade associations and consumer groups, sponsored the event.

Once victims are redirected to the phisher's fake Web site, they are tricked into disclosing user names and passwords, downloading malicious code, revealing account numbers and personal identification numbers or disclosing credit card numbers.

On average, 4 percent of phishing attacks are successful, meaning victims disclose personal information that is then resold or used to gain unauthorized access to victims' bank accounts, said Ben Golub, senior vice president for corporate marketing affairs at VeriSign. In June, the company began offering an anti-phishing service based on its core electronic authentication services. VeriSign officials and other coalition members said they are concerned about the negative effect that phishing scams will have on citizens' confidence in e-commerce and e-government. One recent attack involved scammers creating a fake version of the federal government's Regulations.gov Web site.

The phishing problem must be tackled on multiple fronts, Golub said, not only on with technology but with legislation and public awareness. On July 15, President Bush signed an identity theft bill that stiffens penalties for aggravated identity theft. Perpetrators convicted of identity theft will now serve time in jail, Caprio said.

Further details of the FTC's call to industry leaders to attend an information technology summit on e-mail authentication standards will be announced in the Federal Register, Coleman said. The summit would be held sometime this fall.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.