FTC pushes e-mail standard

Treasury report on phishing

A sharp rise in phishing attacks has prompted Federal Trade Commission officials to call on technology industry leaders to adopt an electronic authentication standard for Internet e-mail.

Industrywide adoption of such a standard could reduce the number of phishing victims, Sana Coleman, an FTC attorney, said last week at a Capitol Hill briefing on phishing. Internet e-mail companies and Internet service providers are all working on various authentication schemes to thwart phishing scams, she said.

Phishing victims receive e-mail notifications that appear to be from a well-known company or federal agency. In a recent study of the problem, officials at VeriSign Inc. found that 93 percent of all phishing attacks are sent from forged or spoofed e-mail addresses. Phishing is the latest incarnation of identity theft schemes.

Unsuspecting citizens who fall for the scam are redirected to a fake but realistic-looking brand-name Web site. If an e-mail message directs users to a URL containing an ampersand, the message most likely is the first stage of a phishing attack, said Dan Caprio, deputy assistant secretary for technology policy at the Commerce Department, who also spoke at the briefing. Americans for a Secure Internet, a coalition of e-commerce companies, trade associations and consumer groups, sponsored the event.

Once victims are redirected to the phisher's fake Web site, they are tricked into disclosing user names and passwords, downloading malicious code, revealing account numbers and personal identification numbers or disclosing credit card numbers.

On average, 4 percent of phishing attacks are successful, meaning victims disclose personal information that is then resold or used to gain unauthorized access to victims' bank accounts, said Ben Golub, senior vice president for corporate marketing affairs at VeriSign. In June, the company began offering an anti-phishing service based on its core electronic authentication services. VeriSign officials and other coalition members said they are concerned about the negative effect that phishing scams will have on citizens' confidence in e-commerce and e-government. One recent attack involved scammers creating a fake version of the federal government's Regulations.gov Web site.

The phishing problem must be tackled on multiple fronts, Golub said, not only on with technology but with legislation and public awareness. On July 15, President Bush signed an identity theft bill that stiffens penalties for aggravated identity theft. Perpetrators convicted of identity theft will now serve time in jail, Caprio said.

Further details of the FTC's call to industry leaders to attend an information technology summit on e-mail authentication standards will be announced in the Federal Register, Coleman said. The summit would be held sometime this fall.