(IJCNS) International Journal of Computer and Network Security, 59
Vol. 2, No. 10, 2010
Protecting Consumers from the Menace of Phishing
Vivian Ogochukwu Nwaocha
National Open University of Nigeria, School of Science and Technology,
Victoria Island, Lagos
webdevee@yahoo.com
Abstract: The number and sophistication of phishing scams
sent out to consumers is continuing to swell drastically. Banks,
Vendors, and a number of organizations who provide their
services online have had several incidents where their clients
have been swindled by phishers. The internet industry is starting
to take the threat very seriously seeing the exploding trend of
attacks and the tendency for the phish hits to afflict the big
industries. Today, both the spam and phishing enterprises are
blooming. These fraudsters send spam or pop-up messages to
lure personal and financial information from unsuspecting
victims. The hostile party then uses this information for
criminal purposes, such as identity theft and fraud. In spite of
the measures being taken by researchers, internet service
providers and software vendors to curb this scam, phishing
scams have been on the rise as phishers continue to devise new
schemes to deceive consumers. In this paper, we present the
different forms of phishing; highlighting specific phishing
features that would help consumers identify an imminent
phishing scam in order to avoid being phished. It is hoped that
promoting valuable consumer education would help protect
Internet users worldwide from becoming victims of phishing
scams. By providing their consumers with the tools, resources,
and guidance they need to protect themselves from these threats,
industries and organizations would equally help reduce the
threat of phishing attacks.
Keywords: consumers, emails, phishing, vishing, websites.
1. Introduction
Phishing attacks are rapidly increasing in frequency.
According to the Anti-Phishing Working Group (APWG),
[1] reports of phishing attacks increased by 180% in April
2004 alone, and by 4,000% in the six months prior to April.
A recent study done by the antispam firm MailFrontier Inc.
found that phishing emails fooled users 28% of the time.[2]
Estimates of losses resulting from phishing approached $37
million in 2002.[3]
The term phishing refers to the act of sending an e-mail to a
user falsely claiming to be an established legitimate
enterprise in an attempt to scam the user into surrendering
private information that will be used for identity theft. The
e-mail directs the user to visit a Web site where they are
asked to update personal information, such as passwords
and credit card, social security, and bank account numbers,
that the legitimate organization already has. [4]
A phishing attack is said to be successful when a user is
tricked into forming an inaccurate mental model of an
online interaction and thus takes actions that have effects
contrary to the user's intentions. The attacker can then use
this information for criminal purposes, such as identity theft
or fraud. Users are tricked into disclosing their information
either by providing it through a web form or by
downloading and installing hostile software. Once this is
done, the attackers have the information they want, which
puts the ball squarely in their court. This has been a very
successful avenue for attackers in the past. They have been
able to harvest various users’ personal information with
ease. As a whole, the Internet is unsecure because many of
the constituent networks are unsecure. [5]
The first major phishing attempt was made in 1995 against
AOL users (ASTALAVISTA, 2010). Back then, AOL just
recently finished adapting measures that prevented using
fake credit card numbers to open new AOL accounts.
Because of this Crackers resorted to the phishing to get real
credit card numbers from authentic users to create their
accounts. Phishers usually posed as AOL employees. These
fake AOL employees contacted their victims using instant
messaging in an attempt to get them to reveal their credit
card details. [6]
Due to the fact that many phishers were successful in
obtaining credit card details from AOL customers, they
realized that it might be profitable to attack online payment
institutions. Phishing has become a critical problem for
every major financial institution in the world. Nowadays,
phishers usually target people who deal with online payment
services and banks. Phishers now have the ability to target
specific customers of different financial institution. By
narrowing down the which bank service you are using,
phishers can then send targeted emails by posing as
employees from a specific financial institution. This makes
their data gathering attempts much more efficient and
difficult to stop. This process is referred to as ‘spear
phishing’. Some phishers have targeted VIPs and high-
ranking executives in a practice that has been labeled as
‘whaling’.
With the advent of social networking sites such as Facebook
and MySpace, phishers have now moved to new hunting
grounds. The details obtained from phishing on social
networking sites are known to be used in identity theft.
Phishers prefer targeting social networking sites because the
success rate is often high. In fact, experts have estimated
that 70% of all phishing attacks in social networking sites
are successful. This is because phishers use a fake login
page to track social networkers to punch in their login
details. File sharing sites like Rapidshare and Megaupload
have also been targeted by phishing schemes. Phishers
60
attempt to obtain login details to various premium accounts
to gain access to unlimited upload and download service
that are provided by the site.
There is yet another form of phishing where the scammers
exploit the phone channel to ask for sensitive information,
rather than sending e-mails and cloning trustworthy
websites. In some sense, the traditional phone scams are
streamlined by attackers using techniques that are typical of
modern, e-mail-based phishing.
2. Related Work
A number preventive and detective solutions for phishing
threats have been provided by MarkMonitor, Panda
Security, VeriSign, Internet Identity, Cyveillance, RSA,
WebSense, etc. [7], most of them are based on detecting
fraudulent emails and embedded URL, identifying and
closing down the scam site, bombing phishing sites with
dummy information (but apparently real) in order to confuse
the attacker making it difficult to distinguish real data from
dummy data. The use of digital certificates is also a solution
proposed as a countermeasure for phishing attacks.
However, investigations reveal that the use of digital
certificates for server authentication is not enough to
mitigate phishing threats. This is for many reasons, for
example many users do not pay enough attention to the
digital certificate details or many others do not have the
knowledge to perform a correct validation of the digital
certificate [8, 9]. In addition the attacker could decide not to
use encrypted traffic (HTTP instead of HTTPS).
These solutions are not sufficient to provide a secure
environment because most of them are reactive solutions
and others do not comply with security policies (e.g. deny as
default, allow only permitted, etc.). In particular for
blocking an attacker site, detecting fraudulent emails is like
making a black list, and this is the opposite of allowing only
permitted. Other solutions such as the use of two factor
authentication are not enough. If we authenticate the user,
we also have to authenticate the server because both entities
must be considered mutually untrusted. For this reason, in
order to work in a secure way in presence of innumerable
phishing attempts a multi-factor solution is required.
3. Common Phishing Procedure
The most common phishing scams involves sending a
fraudulent email that claims to be from a well-known
company. Below is an illustration of a typical phishing
procedure:
1. Mass 2. Phishing 3. Fraudulent
Email Email Website
The Modus Operandi of Phishing
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 10, 2010
• A fraudster initiates phishing by sending thousands,
even millions, of emails to different mail accounts
disguised as messages from a well-known
company. The typical phishing email will contain a
concocted story designed to lure you into taking an
action such as clicking a link or button in the email
or calling a phone number. [10]
• In the email, there will be links or buttons that take
ignorant consumers to a fraudulent website.
• The fraudulent website will also mimic the
appearance of a popular website or company. The
scam site will ask for personal information, such as
credit card number, Social Security number, or
account password.
• As soon as the user is tricked to take actions contrary
to his intention, phishing is said to be successful.
Thus, the user thinks he’s giving information to a
trusted company when, in fact, he’s supplying it to
a criminal.
4. Types of Phishing
3.1 Email and Bogus Website Phishing
The most common form of phishing is by email. In this
mode of phishing, phishers pretending to be from a genuine
financial institution, or a legitimate retailer or government
agency, ask their targeted victim to “confirm” their personal
information for some made-up reason. Typically, the email
contains a link to a phony Web site that looks just like the
real thing – with sophisticated graphics and images. In fact,
the fake Web sites are near-replicas of the real one, making
it difficult even for experts to distinguish between the real
and fake Web sites. As a result, the victim enters his
personal information onto the Web site – and into the hands
of identity thieves.
3.2 Vishing
The main text for your paragraphs should be 10pt font. All
body paragraphs (except the beginning of a section/sub- As
computer users have become more educated about the
dangers of phishing emails, perpetrators have begun
incorporating the telephone into their schemes. This
variation on the phishing ploy has been termed vishing,
indicating that it is a combination of voice (phone) and
phishing. In a typical vishing attempt, you would receive a
legitimate-looking email directing you to call a number.
This would connect you to an automatic voice system, which
would ask for your credit card information. In some cases
email wouldn't be involved at all. Instead, you would receive
an automated phone call requesting your account
information. Often the perpetrators would already have your
credit card number and would be requesting only the
security code from the back of the card.
Internet Voice, also known as Voice over Internet Protocol
(VoIP) or Internet telephony, is a relatively new technology
that allows you to make phone calls over the Internet.
Depending on the provider, VoIP can have several
advantages over conventional phone service, such as a flat
rate for long distance calls and no extra charge for popular
 (IJCNS) International Journal of Computer and Network Security, 61
features such as caller ID and voice mail. Internet voice
(VoIP) vulnerabilities are facilitating this form of fraud.
Users can telephone anonymously. In addition, caller ID
devices can be fooled into displaying a false source for a
call.
. type the website address of your online transaction and log
3.3.1 Samples of Phishing
Sample 1:
"Is this Mr. Shola? I'm calling from PSP Bank. Do you have
a Visa® card? I need to verify your account number because
it seems that someone may be fraudulently
charging purchases to your account. Can you read me the
account number and expiration date on the front of your
Visa® card? OK, now the last four digits on the back..."
Sample 2:
"Hello, Mr. Peter Johnson? I represent the ICC Company
and our records show that you have an overdue bill of $500
plus interest and penalties. You don't know anything about
this bill? Well, there could be a mix-up. Is your address 34
Hall Street? What is your Social Security number...?"
Sample 3:
"This is Inspector Danladi calling from the Economic and
Financial Crimes Commission. Are you Mr. Samuel? We
have received several reports of telemarketing
fraud involving attempted withdrawals from bank accounts
in your area. In order to safeguard your account, we need to
confirm your account number, could you please call out your
account number...”
3.3.2 Common Phishing Features
While phishing scams can be sophisticated, one needs to be
vigilant in order to recognize a potential scam. The
following features are often pointers that something is wide
of the mark:
… Someone contacts you unexpectedly and asks for your
personal information such as your financial institution
account number, an account password or PIN, credit card
number or Social Security number. Legitimate companies
and agencies don’t operate that way.
… The sender, who is a supposed representative of a
company you do business with, asks you to confirm that you
have a relationship with the company. This information is
on record with the real company.
… You are warned that your account will be shut down
unless you “reconfirm” your financial information.
… Links in an email you receive ask you to provide personal
information. To check whether an email or call is really
from the company or agency, call it directly or go to the
company’s Web site (use a search engine to find it).
… You’re a job seeker who is contacted by someone
claiming to be a prospective employer who wants your
personal information.
Vol. 2, No. 10, 2010
5. Tips for Spotting Phishing Scams
Essentially, fraudulent email and websites are designed to
deceive you and can be difficult to distinguish from the real
thing. Whenever you get an email about your account, the
safest and easiest course of action is to open a new browser,
in to your account directly. Do not click on any link in an
email that requests personal information.
5.1 Identifying Fraudulent Emails
There are many telltale signs of a fraudulent email.[11]
a. Sender's Email Address. To give you a false sense
of security, the “From” line may include an official-
looking email address that may actually be copied
from a genuine one. The email address can easily
be altered – it’s not an indication of the validity of
any email communication.
b. Generic Email Greeting. A typical phishing email
will have a generic greeting, such as “Dear User.”
Note: All PayPal emails will greet you by your first
and last name.
c. False Sense of Urgency. Most phishing emails try
to deceive you with the threat that your account will
be in jeopardy if it’s not updated right away. An
email that urgently requests you to supply sensitive
personal information is typically fraudulent.
d. Fake Links. Many phishing emails have a link that
looks valid, but sends you to a fraudulent site that
may or may not have an URL different from the
link. Always check where a link is going before you
click. Move your mouse over the URL in the email
and look at the URL in the browser. As always, if it
looks suspicious, don't click it. Open a new browser
window, and type https://www.paypal.com.
e. Attachments. Similar to fake links, attachments can
be used in phishing emails and are dangerous.
Never click on an attachment. It could cause you to
download spyware or a virus. PayPal will never
email you an attachment or a software update to
install on your computer.
Model of a fraudulent email
5.2 Identifying a Fraudulent Website
A phishing email will usually try to direct you to a
fraudulent website that mimics the appearance of a popular
website or company. The fraudulent website commonly
referred to as a ‘spoof ‘website will request your personal
information, such as credit card number, Social Security
number, or account password.
62
You think you are giving information to a trusted company
when, in fact, you are supplying it to an online criminal.
a. Deceptive URLs.
Be cautious. Some fraudsters will insert a fake browser
address bar over the real one, making it appear that you’re
on a legitimate website. Follow these precautions: Even if an
URL contains the word "PayPal," it may not be a PayPal
site.
Examples of fake PayPal addresses:
http://signin.paypal.com@10.19.32.4/
http://83.16.123.18/pp/update.htm?=https://
www.paypal.com/=cmd_login_access
www.secure-paypal.com
Always log in to PayPal by opening a new browser and
typing in the following: https://www.paypal.com.
The term "https" should precede any web address (or
URL) where you enter personal information. The "s"
stands for secure. If you don't see "https," you're not in a
secure web session, and you should not enter data.
b. Out-of-place lock icon.
Make sure there is a secure lock icon in the status bar at the
bottom of the browser window. Many fake sites will put this
icon inside the window to deceive you.
Model of a Bogus Website
6. Phishing Protection: Multi-factor Approach
The primary responsibility for protecting yourself from
phishers lies with YOU. Here are some steps you can take:
• Be on guard
Be wary of any email with an urgent request for personal,
account or financial information. Unless the email is
digitally signed (a method of authenticating digital
information), you can't be sure it is authentic.
• Don't fill out a form on a Web site unless you
know it is secure.
You should communicate information such as credit card
numbers or account information only through a secure Web
site or over the telephone. To ensure that you're on a secure
Web server, check its address in your browser's address bar.
It should begin with "https" rather than just "http." In
addition, there should be a symbol such as a padlock or key,
usually at the bottom of your browser window (not in the
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 10, 2010
Web page window). Double click on the symbol to see the
security certificate for the site and make sure that it matches
the site you think you're visiting. But beware - a scammer
may also use a secure Web site.
• Regularly check your bank, credit and debit
card statements (paper and online).
Verify each account at least once a month. Ensure that all
transactions are legitimate. If anything is suspicious, contact
your bank and all card issuers.
• Ensure that your browser is up to date.
Make sure that you have applied the latest security patches
and updates. If you use the Microsoft Internet Explorer
browser, go to http://www.microsoft.com/security/ and
download a special patch relating to certain phishing
schemes.
• Install and maintain antivirus and anti-spyware
Software.
Some phishing email may contain software that can track
your activities, disrupt your computer or simply slow it
down. Detect, manage and delete these threats by installing
effective antivirus software and antispyware and keeping it
updated, either automatically or by downloading updates
manually from the manufacturer's Web site.
• Consider installing a phish-blocking toolbar on
your Web browser.
EarthLink ScamBlocker is part of a free browser toolbar that
alerts you before you visit a page that's on EarthLink’s list
of known fraudulent phisher Web sites. It's free to all
Internet users and can be downloaded at EarthLink Toolbar.
Handle a vishing attempt as you would a phishing situation:
• Don't respond to it.
• Don't call a number given in an email.
• Don't give out your account information in
response to a phone call you didn't initiate.
Contact your credit card company directly and only by your
usual means.
7. Conclusion
It is thus important that consumers are watchful in
handing out critical user-specific information. Creating
passwords that use a combination of upper and lower
case and special characters will also contribute to a hard
data encryption. For businesses, educating employees on
how to recognise a phishing attempt makes it competitive
in computer security. It is also wise to install advanced
browsers that alert users when fraudulent or suspicious
websites are visited. Moreover, exchanging details should
be done in secured manner and channel where strong
cryptography is used for server authentication. In the
struggle against phishers and Internet scam perpetuators,
being a smart Internet user makes a difference. Internet
 (IJCNS) International Journal of Computer and Network Security, 63
Vol. 2, No. 10, 2010

fraud can be eliminated or reduced to a great extent when Author Profile

common sense and safety precautions are applied.
Vivian Ogochukwu Nwaocha is currently
involved in coordinating Computer Science and
Information Technology programs at the
National Open University of Nigeria. Her main
References research interests are computer security,
artificial intelligence, mobile learning and
[1] Anti-Phishing Working Group, Phishing Attack Trends
assistive technologies. A good number of papers authored by
Vivian have been published in various local and international
Report, April 2004. [Online]. Available: journals. Vivian has equally written a number of books which are
http://antiphishing.org/APWG_Phishing_Attack_Repor accessible online. She has participated in several community and
t-Apr2004.pdf. service development projects in Nigeria and beyond. Vivian is a
[2] Bob Sullivan, "Consumers Still Falling for Phish," member of Computer Professionals Registration Council of
Nigeria, Nigeria Computer Society, Prolearn Academy, elearning
MSNBC, July 28, 2004. [Online]. Available: Europe, IAENG society of Computer Science, IAENG society of
Artificial Intelligence, IAENG society of Bioinformatics and
http://www.msnbc.msn.com/id/5519990/
several online social networking communities.
[3] Neil Chou, Robert Ledesma, Yuka Teraguchi, and John
C. Mitchell, "Client-Side Defense Against Web-Based
Identity Theft," 11th Annual Network and Distributed
System Security Symposium, 2004. [Online]. Available:
http://theory.stanford.edu/people/jcm/papers/spoof
guard-ndss.pdf.
[4] WEBOPEDIA, Everything you need to know is right
here, 2010. [Online]. Available:
http://www.webopedia.com/TERM/P/phishing.html
[5] C. Douglas, “The INTERNET Book, Everything You
Need to Know About Computer Networking and How the
Internet Works,” Fourth Edition, pp. 311-312, 2006.
[6] ASTALAVISTA,"The Hacking and Security
Community, Introduction to Phishing”. July, 2010.
[Online]. Available:
http://www.astalavista.com/blog/5/entry-90-
introduction-to-phishing/
[7] Anti-Phishing Working Group, Vendor solutions, 2010.
[Online]. Available:
(http://www.antiphishing.org/solutions.html)
[8] R. S. Katti and R. G. Kavasseri, “Nonce Generation For
The Digital Signature Standard,” International Journal
of Network Security, vol. 11, no. 1, pp. 23-32, July
2010.
[9] C. Yang, “Secure Internet Applications Based on Mobile
Agents,” International Journal of Network Security, vol.
2, no. 3, pp. 228-237, May 2006.
[10] PayPal, Phishing Guide Part I, [Online]. Available:
https://www.paypal.com/cgi-
bin/webscr?cmd=xpt/Marketing/securitycenter/general/
UnderstandPhishing-outside
[11] PayPal, Phishing Guide Part II, “Recognizing
Phishing," [Online]. Available: https://www.paypal.com
/cgibin/webscr?cmd=xpt/Marketing/securitycenter/gene
ral/RecognizePhishing-outside