Background to the Project
Nowadays, computers are becoming more powerful, cheaper, and more user friendly. With their improvement, computers have multiplied in our society, our businesses, as well as computer systems for supporting their operations. This growth, use and improvements of computers and given to computer crimes. Computer crimes are most often referred to as crimes that are committed with the help of a computer. Still the computers have numerous roles in high tech crime.
Phishing attacks have reached a record maximum in the past two years touching approximately 150,000 attack mark during the second quarter of 2009. Furthermore, the most common victims of Phishing scams have been the individuals who use computers. These individuals are tricked into disclosing their private and login information to spoofed websites that claim to be belonging to a social networking website or a Banks website, and so on.
Among the organizations who incurred and identified financial losses because of computer security breaches, most of them were unable to quantify the losses. The approximations of the incurred losses are presented below:
48% reported between one to five security incidents in the year
65% detected computer viruses
42% reported occurrences that were produced by sources within the organization
47% reported theft of mobile devices and laptop computers
32% of the respondents suffered from incidents involving unauthorized use of their computer systems throughout the last year
In the area of ecommerce:
Every respondent experienced some kind of website incidents:
6% reported website defacement
9% reported experience of proprietary information theft
3% were targets of sabotage
9% were targets of financial fraud.
Introduction
Computer crimes can be stated as criminal activities that involve illegal access- unauthorized access, illegal interception- by means of non-public transmission of computer data from, to or within a computer system, data interference - illegal deletion, damaging, alteration, suppression or deterioration computer data, systems interference - with the functioning of a computer system by input, transmission, damage, deleting, deterioration, suppression or alteration of computer data, forgery, misuse of devices, and electronic fraud.
Moreover, computer crimes include information warfare, phishing scam, fraud, and identity theft. This project focuses on Phishing Scam.
Phishing is a type of online identity theft that employs social engineering as well as technical subterfuge in order to steal user credentials such as user names and passwords. Furthermore, targeted data sources especially include Web pages, domain names, email spam, etc. Mounting a phishing attack may take several forms but the most famous one takes the form of a phishing message arriving at the user inbox or mailbox pretending to be originating from a bank, for instance, thereby directing the user to a webpage and requesting them to enter their credentials, but the webpage is not the one actually associated with the bank.
Commonly, Phishing e-mails will contain some of these elements:
The 'From' field that appears to be from the legitimate company referred to in the email. However, it is important to note that it is extremely easy to change the "From" information in any email client.
Secondly, the e-mail will typically contain images or logos that have been derived from the company Website mentioned in the scam email
Thirdly, the email will consist of clickable links with text and data that deceives the victim to use the inserted link to validate the information or update the information. Within the image it is observed that once the hyper link is highlighted, the bottom of the screen displays the real Website address to which the user is directed. This hyper does not point towards the legitimate Web site URL, in fact it points at a fake URL. Once the hyperlink is clicked and the URL is opened, the new webpage looks exactly like the original Web page.
Therefore, in short, a phishing attack occurs when a user obtains a "spoofed" or fraudulent email that represents a trusted source, such as a retailer, bank, or a credit card company. This email leads the user to an equally fraudulent Web site that intends to maliciously gather sensitive and personal information including account information, PINs, and passwords. Phishing scams have been receiving wide press coverage as these attacks have been intensifying in number and sophistication.
The objective of this research paper is to define the nature, scope, and impact of the Phishing attack, and solutions to this attack, to provide the audience with information on ways of responding to phishing schemes and to recognize current and promising approaches to combating phishing.
Problem specification
The problem in investigation is about Phishing Scam. This is when a spammer or hacker employs spoof mails to direct computer users to fraudulent sites in order to obtain personal information. For instance, passwords, transfer money, bank details, etc from the user of the system.
There are several problems one faces both internationally as well as domestically that are of immense concern to computer users:
1. Public trust in the Internet: This factor weakens the public trust within the Internet. This can make financial websites and consumers less likely to utilize the Internet for financial transactions.
2. Financial Loss: Depending on the type of fraud that a criminal commits with the help of stolen data, businesses and consumers may lose a lot of money.
Research Aims and Objectives
This project is an in-depth and detailed investigation about the challenges that the UK law enforcement agencies have encountered involving the computer crime called Phishing, and the reasons behind the difficulties they experienced in this context. Also, it presents a detailed analysis of what is currently being done to address Phishing and discuss whether new measures put in place by the police and law enforcement agencies may be successful.
Objectives of the project are:
To investigate the challenges that the UK law enforcement agencies have faced with Phishing.
To investigate what is currently being done to address Phishing in the UK..
To investigate whether the methods used to prevent phishing are effective.
To investigate whether there is great awareness for computer users about phishing.
To discuss whether the new measures set up by the UK law enforcement agencies is working as planned
Literature Review
What is Phishing?
As mentioned in the previous sections, the term phishing is used to describe the technique used by criminals for creating and using emails and websites, designed to appear like they have arrived from well-known, legitimate and trusted financial institutions, businesses, and government agencies, in an effort to collect personal and financial information. These criminals intend to deceive the Internet users and persuade them into revealing their bank as well as financial information, or any other personal data like the user names, passwords, PINs, or to unwillingly download malicious computer code on their computers that may enable the criminals to subsequently access those computers of the users' financial accounts.
Though, phishing, identity fraud, and identity theft are typical terms, in the cyber crime worlds that are sometimes used interchangeably, with some distinctions in order. Furthermore, phishing is best interpreted as among the several number of unique methods of identifying thieves who use to 'steal' critical and sensitive information through deception, that is, by luring unprepared consumers to give out their identification or financial information either unknowingly or within false pretenses, or by deceiving them into permitting unauthorized access to criminals for accessing user computers and personal data. The United Kingdom often makes use of the term "identity fraud" in order to refer widely to the practice of obtaining and misusing the identifying information of others for criminal purposes. Additionally, identity fraud can also be referred to the subsequent criminal use of identifying information of others for obtaining goods or service, or to the usage of fictitious identification information in order to commit a crime.
The main aim of committing phishing is to allow criminals to obtain valuable and sensitive information about a consumer, typically with the goal of fraudulently receiving access to the customer's bank or other financial accounts. Most of the times, "phishers" will sell account numbers or credit card details to other criminals, achieving a very high profit on a comparatively small technological investment.
In general, phishing schemes are reliant heavily on indiscriminate transmission of "spam" emails to an enormous amount of Internet users, irrespective of the demographic characteristics of those users. However, certain phishing schemes may disproportionately have an impact on certain segments of the population. Apart from that, some phishing schemes, colloquially known as"spear phishing", attempt to target more potential groups of online users.
Significantly, the short term effect of these scam mails is to trick and defraud individuals and financial institutions. Moreover, some prior data has suggested that in certain phishing schemes, criminals were able to persuade as much as 5 percent of recipients for responding to their emails, which results into significant number of consumers suffering from credit card fraud, financial loss, and most importantly identity fraud. However, in the long run, phishing could counteract public trust in the usage of the Internet for e-commerce and online banking. Even though data in phishing attempts to provide essential indications about the dimensions of the phishing problem, may obstacles may try to prevent accurate and complete measurements. Firstly, the victim often has no idea as to how criminals obtained their information. A victim typically provides his/her personal information to phishers mainly because they think the solicitation to be trustworthy enough. Consequently, the unexpected and unexplained charges that appear on their credit card statements usually occur after a delay from the time of phishing solicitation, with the involved items having no relation with the original subject matter of the phishing websites and emails which victim fail to understand that there exists a connection between these events.
Secondly, companies and firms that are victimized by the phishing attack fail to report these events and instances to law enforcement. That is to say, unlike some other types of Internet0based crimes, like hacking, which may be conducted secretly, phishing, according to its nature, involves misuse of legitimate agencies' and companies' names and logos. Nevertheless, some companies may be unwilling and reluctant to report such instances of phishing to law enforcement, partially because they are worried that if the exact volume of these phishing attacks were disclosed in public, their accountholders or customers would either mistrust the companies or they would be positioned at a competitive disadvantage, or both.
As indicated by these statistics, phishing continues to hold a place among the rapidly growing form of online identity thefts which may cause both short-term losses as well as long-term economic damage. During either event, phishing scams and other similar identity thefts produce significant costs that can ultimately be incurred by customers in the form of higher prices from those merchants accepting credit cards or from the credit card companies.
How phishing attack is committed?
Within a typical phishing scheme, criminals, who wish to obtain personal information from people who are online, first create illegal replicas of a real website and email, in other words, spoof a real website and email, normally from a company dealing with financial information, such as a financial institution or an online merchant. The email will then be created in the same style of emails created by a legitimate agency or company, by using its names, logos and slogans. The format and nature of the primary website creation language, HTTP (Hypertext Transfer Protocol) Markup Language, makes it extremely easy for a criminal to copy images or an entire website. Since this ease of website creation is among the major reasons why the Internet has grown so rapidly as a communication medium, it also allows the abuse of tradenames, trademarks, as well as other corporate identifiers on which consumers have been relying on as mechanism of authentication.
Typically, phishers then transmit the "spoofed" emails to as many people as possible in an effort to entice them into the scheme. In some spear phishing attacks, phishers have employed other illegal means for obtaining personal information concerning a group of people, and then targeted that particular group with emails that included illegally gained information in order to make the emails more plausible. These emails redirect customers to a spoofed website that appears to be belonging to that same business or entity. Furthermore, the criminals are aware of the fact that although not all recipients will posses accounts or other existing relationships with such financial companies, some of them will have such accounts and hence are more likely to end up believing the websites and emails to be legitimate. Interestingly, the concept behind most of the phishing attacls is sort of similar to that of the "pretext" phone calls, that is, phone calls from callers intending to be collaborated with legitimate companies or institutions requesting the call recipient for personal information. In fact, the criminals and master minds behind these phone calls, websites and emails have no real connection with those companies or businesses. Furthermore, their objective is to obtain the personal data of consumers for engaging in several forms of fraud schemes.
Phishing schemes mainly depend on three elements.
Phishing solicitations usually use familiar corporate tradenames and trademarks, and recognized government agency logos and names. Moreover, the use of such trademarks is efficient in several cases since they are familiar to many Internet users and are likely to be trusted in the absence of closer scrutiny by the users. Furthermore, the indicators provided for web browsers for assessing the security and validity of a website, for instance the address bar or the lock icon, can all be spoofed. This bottleneck is farther compounded by the lack of standard protocols amongst financial institutions and is concerned with how they will interact with their customers and what type of data will they request through the Internet.
Secondly, the solicitations often contain warnings that are purported to cause the recipients immediate worry or concern regarding the access to an existing financial account. Typically, phishing scams create sense of insecurity and urgency by warning victims that their lack or failure to comply with instructions will result in the judgment of fees or penalties, assessment account terminations, or other similar negative outcomes. Therefore, the fear created by such warnings assists to further cloud the consumer ability to judge whether or not the messages are authentic. Yet if a small amount of people receiving these fraudulent warnings respond, the ease with which these solicitations may be distributed to thousands of people produces a sizeable pool of victims.
Thirdly, the solicitations also rely on two concepts pertaining to security and authentication of the emails:
Online consumers routinely lack in resources such as tools and technical knowledge for authenticating messages from e-commerce companies and financial institutions.
The available tools and techniques are insufficient for robust authentication as well as subject lines in order to make the emails appear to be originating from trusted sources, recognizing that many recipients will not have an effective way to verify the true provenance of the emails.
The Phishing Threat
Social Engineering Factors:
Generally, Phishing attacks rely upon a unique mixture of social engineering practices and technical deceit. In majority of cases, the phisher is required to persuade the victim to purportedly perform a series of actions which will provide access to confidential information. Likewise, communication channels such as web pages, email, instant messaging services and IRC are most popular. In all these cases, the phisher should impersonate a trusted source, such as automated support response from their most preferred online retailer, help desk of a bank, etc, for the victim to believe. Till date, the most successful and widely spread phishing attacks have been triggered by email, wherein the phisher impersonates the sender authority by spoofing the original source's email address and imitating the appropriate corporate logos. For instance, the victim gets an email from say [email protected] where the address is spoofed with the subject line 'SECURITY UPDATE', thereby requesting them to follow the URL www.thebank-validate.info with a domain name belonging to the attacker and not the bank, and provide with their banking PIN number.
Nonetheless, the phisher is employed with many other villainous techniques of making social engineering victims to surrender their confidential information. A real exmple is illustrated below where the email recipient is most likely to have belived that their banking account and financial information has been misused by someone else in order to make a purchase of unauthorized services. Then, the victim would attempt to communicate with the email sender to notify them of the mistake in transaction and request them to cancel it. Furthermore, depending on the specifications and details of the scam, the phisher would request the recipient to feed in their confidential details for reversing the transaction, thereby verifying the email address and trying to potentially sell this information across other spammers, along with capturing sufficient information to complete a real transaction.
Types of phishing attacks:
1. Spoofing web sites and e-mails
Phishing attacks fall under several categories, the earliest form of phishing attack being email-based which date back to the mid 90's. Essentially, these attacks were driven by spoofed mails that were being sent to online users where attackers attempted to persuade the victims for sending back their account information and passwords. Though such attacks may be successful nowadays, the success rate from the attackers' viewpoint is relatively lower because several users have learned and understood not to send sensitive information through emails. The main and possible reason is that many security-sensitive companies and firms such as banks do not offer interactive services since they are able to rely upon encryption technologies such as SSL. A result of this indicates that a typical user would detect a request to send sensitive information, like passwords via email, suspicious, especially taking into account the fact that numerous Internet users nowadays receive a huge number of spam emails from senders whom they do not know.
Therefore, many phishing attacks currently are reliant on a more sophisticated combination of spoofed web sites and emails in order to steal information from victims worldwide. Such attacks are the most widespread and common forms of phishing attacks today. Moreover, in a typical phishing attack, the attackers send across a large number of spoofed e-mails which appear to be arriving from a legitimate or legal organization such as a bank, to random users and attempt to urge them to update their private bank account details and personal financial information. The victims are then routed towards a web site that is controlled by the attacker themselves. This site looks an exact duplication of the familiar online banking web site and thus users are asked to type-in their personal details and fall prey to the attack. Since the victims are directly communicating with a web site that they think they are aware of, the success rates of such attacks are at a mush higher level that e-mail-only phishing attacks. Apart from emails, as alternative form of message delivery, attackers have employed a new methodology through the instant messaging systems like ICQ or infrastructures like Internet Relay Chat (IRC) for trying to persuade and direct users towards spoofed web sites.
When the victim follows a spoofed hyperlink, attackers are adopting various and more sophisticated techniques, for not raising suspicion and for presenting the phishing web site as secure and authentic as possible. A good example of this includes the use of URLs as well as host names that are altered and modeled so that they appear to be legitimate to inexperienced users. Some attacks also use hidden images and frames as well as Javascript code in order to control the way the web page is rendered by the browser of the targeted victim.
2. Exploit-based phishing attacks
Some phishing attacks are described to be technically more sophisticated and exhaustively make use of well-known vulnerabilities within popular web browsers such as the Internet Explorer for installing malicious software, i.e. malware that gathers sensitive information about the victim. For example, a key logger might be installed that aims at logging all pressed keys every time a user visits a particular online banking web site. Furthermore, another possibility for the attacker would be to obfuscate the proxy settings on the user's browser so that all the web traffic initiated by the user passes through the attacker's server, to perform a typical man-in-the-middle attack.
In order to exploit-based phishing attacks as well as many other security threats that are directly concerned with browser security such as spyware, worms, and Trojans, browser manufactures are required to assure that their software is bug-free and that users are kept up to date about the latest security fixes.
Variants of Phishing:
During the first generation of phishing schemes, almost every phishing attack depended on the combination of fraudulent emails containing links to fraudulent web sites with the aim of obtaining Internet user's personal information. However, over the past couple of years, online criminals have rapidly refined their phishing attacks by extensively incorporating a variety of other techniques for contacting potential victims or obtaining their information.
Spear Phishing:
One can state that spear phishing is an informal term used for describing any highly targeted phishing attack. In other words, spear phishers hatch the attack by sending spurious emails that appear to be genuine to a specifically recognized group of Internet users, like a group of certain users of a specific product or service, members or employees of a particular company, online account holders, government agency, organization, well-established group of professionals, or social networking web site. Resembling to a standard phishing email, the sender's message appears to be coming from a trusted source, such as a colleague or an employer who is likely to send email messages to every person or a selective group of persons in the company, for example the computer systems administrator or the head of human resources. Since it arrives from a trusted and known source, the request for sensitive data like user names and passwords appears to be more plausible.
Conversely, traditional phishing scams have been designed to rob individuals of their valuable and personal information; certain spear phishing scams may incorporate other techniques that range from computer hacking to "pretexting", in order to obtain additional personal information required to target a specific group of Internet users or to enhance the credibility of phishing emails. In essence, some criminals may utilize any data they can with the main aim of personalizing a phishing scam to as selective group as possible.
Redirection and other malicious code based schemes
Second technique employed by phishers to cause targeted Internet users to unwittingly download certain types of malicious software onto their office computer or home computers. In this context, one such form of phishing scheme that makes use of malicious code is the "redirection" scheme. Commonly, whenever an Internet user types in the address of a particular website into a Web browser, the computer directs the user to the actual correct web site. However, in the redirection scheme, due to the malicious code added by the phishers the code inside a user's computer is changed so that when the user attempts to access a particular web page or site by entering the correct address, the inserted code redirects the user is redirected, without his knowledge, to a phishgin web site that tightly resembles that original web site that the user is intending to access.
Furthermore, another kind of malicious code related phishing scheme includes the use of keylogging software, as aforesaid, or a "backdoor". Backdoor is a secret entry point or entrance into a program that allows someone aware of the backdoor to gain entry without going through the usual security access procedure. Also known as trapdoors, programmers have used backdoors for debugging and testing programs. In other words, to debug the program the developer may want to gain special privileges or wants to avoid all the necessary setup and authentication processes otherwise done during normal entry. The backdoor is a software code that recognizes a special sequence of input or is initiated by being executed from a particular used ID or by an unexpected sequence of events. Furthermore, backdoors become threats when unscrupulous programmers and developers use them to gain unauthorized access. However, it is difficult to implement the operating system controls for backdoors. For that purpose, security measures must mainly focus on the program development as well as software update activities.
Therefore, once the phisher has urged the Internet user to unknowingly download malicious code which involves the keylogging software to their computer, the keylogger is then set to operate only when the Internet user makes use of an Internet browser to access an online financial account. Therefore, by recording the keystrokes entered by the user during the log-in process, and then retrieving the corresponding keystroke data, the phisher is able to later use the keystroked data in order to reproduce the Internet user's corresponding username and password, and thereby access the user's account for making substantial withdrawals from that account. Additionally, the phisher may also employ a "backdoor" code in order to conduct the financial transaction directly form the user's own computer. In essence, the latter technique aims at deceiving the security personnel situated at the financial institution where the user holds his bank account. Furthermore, the user who attempts to report about an illegal access and transaction has taken place with his account is less likely to be believed at the very first instance when the security personnel of that financial institution traces the unauthorized transaction by reverting back to that user's computer.
Vishing
Vishing or voice phishing is a phishing technique that has gained substantial publicity lately. Vishing works in two different ways. One version of the scam is a technique wherein the consumer receives an email constructed in the same ways as that of a phishing email, typically indicating that a problem exists within the account. Rather than providing a fraudulent link for the user to click on, the email offers a unique customer service number which the client should call and the user is then prompted to log in into the web site by using account number and password. The next version of the scam involves calling customers directly and informing them that they should call the fraudulent customer service number instantly to protect their account. Furthermore, vishing criminals could also establish a false sense of security within the consumer's mind by "confirming" the personal information they have on file, such as the full name, address, credit card number, etc.
Significantly, vishing poses a specific kind of problem for two reasons. Firstly, vishing criminals may take advantage of cheap and anonymous Internet calling availability by using Voice over Internet Protocol (VoIP), that also permits the criminal to use simplistic software programs in order to set up a professional sound of automated customer service line, similar to ones used in almost all large firms. Secondly, unlike several phishing attacks, wherein the legitimate organization may not use emails for requesting personal information from account holders, vishing is a technique that actually emulates a typical bank protocol whereby the banks encourage clients to call to verify and authenticate their information.
Even though the legitimate banks will phone a client and pose questions to verify the client's identity, customers must remember and be aware that a bank will never inquire or ask about the client's PINs or passwords. Moreover, it is also significant that customers should never trust a phone number provided in an email and rather contact the institution via a number that has been independently obtained or verified through directory assistance. As aforementioned, this may include the website or telephone number printed in the back side of their credit cards or on the monthly account statements.
Law enforcement, consumers, and other private sectors must assume that with increase in the public education on phishing attacks, criminals will not only continue to utilize their variants, but also produce additional variants as well as refinements for phishing techniques.
http://www.justice.gov/opa/report_on_phishing.pdf
http://www.parliament.uk/documents/upload/postpn271.pdf
http://www.internet-security.ca/internet-security-news-013/phishing-sites-represent-a-mounting-problem.html
Examples of computer crimes:
Phishing scam and fraud:
A phisher makes use of spoof mails in order to direct an Internet user to fraudulent and fake web sites to raise a transfer of money or sensitive information such as credit card details or passwords, from the user. Moreover, attacks are rapidly increasing with banks and financial services accounting for more than 93% of hijacked or impersonated brands via bogus emails and web sites. These statistics indicate that high street banks of almost all of UK have been intensely affected by phishing.
Distributed Denial of Service (DDoS) attack
Phishers are capable of gaining control over multiple computers and can utilize them to attack multiple targets or a specific target. This was first done by a Russian crime gang in 2004, in an extortion attempt over UK gambling web sites during the Grand National held in 2004. Moreover, the National High Tech Crime Unit operated with Russian authorities in order to arrest those criminals responsible in the crime and assisted in setting up the Internet DDoS forum for sharing data about attacks.
Targets of Computer Crimes:
http://www.parliament.uk/documents/upload/postpn271.pdf
Specifically, some attacks do not have a particular target. Nonetheless, attacks against specific groups of computer or an individual computer are becoming increasingly common. Organizations with huge networks of computers, home computer users, or an entire infrastructure might be targeted. Moreover, attackers who use computers may also try to harm and damage the functioning of the CNI, that is Critical National Infrastructure that includes telecommunications, emergency services, and finance as well as energy distribution, all of which completely rely upon IT. Most of the CNI systems that were once isolated are once again connected to the Internet thereby increasing vulnerability.
Furthermore, there has been a recent speculation regarding the prospect of terrorists who use electronic attacks for targeting computer systems and networks. The National Infrastructure Security Coordination Centre, NISCC, has described that the probability of terrorists performing an electronic attack targeting the CNI is presently low in comparison with other risks like using explosive devices, even though the NISCC focuses on the fact that threats and targets can alter quickly.
Increases in Computer Crime:
During 2002-2003 British Crime Survey proved that 18% of households having Internet access have said that their home PCs had been infected by a virus. This number had risen to 27% in 2003-2004. One-third of them said the virus has badly damaged their computer. Furthermore, the biyearly Department of Trade and Industry Security Breaches survey reported that 62% of UK businesses experienced a computer security incident during 2006.
These statistics tend to underestimate the actual situation as several individual or organizations may not be aware of the fact that security of their computer is compromised. Outlined below are the various reasons for the rise in computer crime:
Spread of Computers
Practically, computers are becoming increasingly accessible as their cost is decreasing, thereby leading to a remarkable growth in their usage, specifically in mobile as well as personal computing. Research studies have suggested that most of the home users are usually unaware of the possible threats arising from computer crime or might not posses the required technical skills in order to ensure their security.
Broadband:
Recent study from Ofcom has estimated that almost half of all the internet connections within the UK are constantly on, high-speed, broadband connection, including 30% of households embracing this technology. Moreover, these broadband connections allow for greater volumes of network traffic, but when coupled with weakly and poorly implemented computer security measures raise the possibility of computer attacks.
Increasing financial motive for computer crime
Experts of information security have suggested that the main motives behind computer crimes have changed considerably. Conventionally, it was encouraged by desire for equal recognitions and for demonstrating technical skills. Nevertheless, its is currently motivated financially.
Impact of Phishing:
Phishing has four unique types of impact, both domestically as well as internationally, which are of major concerns to the financial and commercial sectors and to law enforcement in UK.
Direct Financial Loss:
Depending on the kind of fraud committed by a criminal with the help of a stolen identifying information, businesses and consumers might lose anywhere from a few hundred pounds to ten of thousands of pounds. Indeed, small-scale e-commerce businesses may particularly be hard-hit by these identity frauds. For instance, due to credit card association policies online merchants who accept credit cards numbers that later prove to be acquired by identity theft might be liable for the entire amount of the fraudulent transactions that involves that card number.
Erosion of Public Trust across the Internet
Significantly, phishing undermines the public and consumer trust in the Internet. Additionally, phishing can make consumers less likely to utilize the Internet for business amd financial transaction, by making them uncertain about the authenticity and integrity of financial and commercial web sites and also the Internet's addressing system. Moreover, people who do not trust their exact location on the World Wide Web, have less potential to use it for legitimate communications as well as commerce. This fact was supported by a 2005 Consumer Reports Survey that showcased declining confidence within the security of the Internet. Furthermore, among many findings, the survey observed that at least 9 out of 10 British Internet users have altered their Internet habits due to the unpredictable threat of identity theft, and among those adults, 30 percent have said that their have relatively reduced their entire usage of the Internet. Moreover, 25 percent have said that they have quitted shopping online or any online transactions, whereas 29 percent among those who still shop online have said that they have considerably reduced the frequency of their purchase.
Troubles in Law Enforcement Investigations
Unlike other types of identity theft which law enforcement agencies are capable of investigating in a single geographic region, such as theft of mail, purses, or wallets, phishing- similar to other forms of crime that exploit the Internet- is capable of being conducted from any geographic location where phishers may obtain Internet access. This may include events in which a phisher sitting in one country takes the entire control of a computer located in another country, and then uses that remote computer for hosting his phishing web site or sending his phishing emails to occupants or Internet users residing in still another country, and so on. In addition to this, online criminal activities in recent years have often speculated distinct divisions of labor. In an online fraud scheme, for instance, the task of writing software code, detecting hosts for phishing web sites, spamming, as well as other components involved in a full-fledged phishing operation might be divided between people at various locations. This entails that during some phishing investigations, accurate and timely cooperation must compulsorily exist between law enforcement agencies situated at multiple countries essential for identification, tracing, and farther apprehension of criminals behind th scheme.
Incentives for Cross-Border operations of Criminal Organizations
Law enforcement organization in the United Kingdom are concerned with the fact presented by each of preceding factors which create incentives for members belonging to full-fledged and well established criminal organizations located in various nations in order to conduct phishing schemes on a regular and systematic basis. Moreover, law enforcement is already comprised of relevant indications that criminal groups within the UK are contracting or hiring hackers for producing phishing emails as well as web sites and developing malicious code to be exclusively used in all forms of phishing attacks.
Increases in Computer Crime
http://www.parliament.uk/documents/upload/postpn271.pdf
Solutions of Phishing
Research Methodology
Constraints
Conclusion
http://www.parliament.uk/documents/upload/postpn271.pdf
http://www.justice.gov/opa/report_on_phishing.pdf
