POSTED BY Rebecca Rubin
Internet users are well-attuned to the prevalence of SPAM emails in their Inboxes. But really, some SPAM we assume is just clogging our Inboxes is merely an empty shell for a highly-intrusive hacking technique: phishing. Phishing is the reason SPAM emails can be so dangerous, and is the means employed to recover usernames, passwords, and banking information through manipulating website links and pretending to be actual emails from our favorite websites. While phishing is not a new phenomenon, recent news articles are popping up regarding its ever-growing danger to obtain easily accessible personal information. Yet, simultaneously Google is exploring methods to crack down on phishing scams, while the FBI targets phishing suspects by turning the tables and making dangerous hackers the bait.
While the average individual is a prime target for phishing attackers, large companies worldwide are not immune from being on the hook of attackers through the method of “spearphishing.” Recently, Indian companies reportedly lost $53 million in just three months from corporate inducements into revealing personal and financial information, making India the fourth nation attacked globally. The United States, United Kingdom, Australia, and Germany ranked high on the list of countries with targeted corporate enterprises and U.S. companies as a whole lost $882M during the same three-month span as India.
Due to these alarming figures and the prevalence of phishing overall, Google recently submitted a blog post explaining preventive measures for Gmail users and email solicitors to avoid phishing attacks. Google confirmed that email authentication standards are working and responding to this worldwide problem after almost a decade of no success. These implemented standards such as DomainKey Identified Email (DKIM) and Sender Policy Framework (SPF) allow for digital signature validation by recipients and provides overall methods to associate email messages with valid domain names. The proof of success is in the numbers – out of 91.4% of authenticated emails sent to Gmail users, a total of 74.7% are now filtered through these new standards.
The fight against phishing has also spawned darker methods, uncovering controversial issues in FBI battles to catch attackers such as detailed in a Washington Post article. Government desperation to thwart phishing scams is resulting in questionable violations of the Fourth Amendment relating to search and seizure. In response to multiple emailed, video chatted, and internet phone-based threats made in 2012 to detonate bombs at universities and airports by a mysterious phisher, “Mo,” the FBI’s most tech-savvy team of hackers designed malicious malware to infiltrate Mo’s accounts. The goal was to gather any and all information which may relay the location of Mo’s computer. The warrant to release the malware was finally issued in December 2012 but limited the search to a two-week window to activate the surveillance software. Yet, human error resulted in a misspelled email address on the warrant, and a new warrant had to be issued. It turned out, after all of the FBI’s effort the results were not so triumphant and Mo’s location remains largely unknown.
Many judges were reluctant to give out search warrants in similar cases that same year for uncrossed boundaries in search and seizure law. One critic, Georgetown University law professor Laura K. Donahue, commented, “You can’t just go on a fishing expedition…There needs to be a nexus between the crime being alleged and the material to be seized. What they are doing here, though, is collecting everything.” Relevant worries about the highly intrusive nature of the internet, even to potential criminal defendants, may lead to a sea of cases regarding phishing and search and seizure concerns in multiple courts, reflected by the current lack of consensus related to granting warrants.
While Google’s efforts are restricted to Gmail users, it is no small feat against phishing scams and will likely cause other email providers and domain managers to follow suit with stricter authentication policies. Yet, the FBI’s methods are not exactly setting an example for email users or potential phishers. Since there are no legal limitations on this new policing method, judges are being cornered to weigh in on serious issues during a rushed window of time to target potential security threats. While law enforcement’s methods may be promising, the controversial risks and inefficiency posed by having to go through the legal process to obtain warrants may not be worth the effort. A quieter and seemingly successful solution appears to have been achieved by Google, but of course higher security risks tend to prompt heightened needs for protection. As phishing in the public sphere decreases, it may continue to thrive in private legal matters. Let’s just hope human error does not promote malware to be mistakenly sent to the wrong email address, and that phishing by law enforcement leads to success stories in the future.