Chapter 3 Improving Phishing Countermeasures

As the battle against phishing continues, many questions remain about where stakeholders should place their efforts to achieve effective prevention, speedy detection, and fast action. Do stakeholders have sufficient incentives to act? What should be the top priorities for the anti-phishing community? To provide insights into these questions we conducted 31 in-depth interviews with anti-phishing experts between May 2008 and May 2009. We selected experts from academia, Computer Emergency Response Team (CERT) centers, the Anti-Phishing Working Group (APWG) officers, law enforcement, and key industry stakeholders. We sought their expertise on the current and future state of phishing attacks, countermeasures that should be implemented to fight phishing more effectively , and incentives that various stakeholders have in their fight against phishing. The experts we interviewed agreed that phishing is evolving into a more organized effort. It is becoming part of a larger crime ecosystem , where it is increasingly blended with malware and used as a gateway for other attacks. Some of the experts suggested that incentives for fighting phishing may be misaligned, in the sense that the stakeholders who are in a position to have the 32 largest impact do not have much incentive to devote resources to anti-phishing efforts. In terms of countermeasures, experts identified improving law enforcement and shutting down money trails as top priorities. They also identified operating systems vendors, web application providers, browsers, and Internet service providers as stakeholders with key technology influence on phishing. Finally, experts agreed that education is an important factor that is not emphasized enough; however, they did not agree on the extent of the impact that education may have. We present these findings and a set of recommendations to improve countermeasures. Although previous reports have studied phishing and issued recommendations, to the best of our knowledge this is the first study that synthesizes the opinions of experts from different fields, and examines the incentives of various stakeholders to contribute to anti-phishing efforts. In response to the growing phishing problem, government agencies, industry groups, and consumer groups have conducted studies and issued recommendations [35, 52, 100, 105]. The Financial Services Technology Consortium's report is the first report that analyzed how phishing works by articulating the life cycle of phishing. It also encouraged financial institutions to assess the costs and risks associated with phishing, develop better intelligence on phishers through improved sharing, and invest and adopt in better mutual authentication. However, the report …