Phishers and other online scammers are well ahead of law enforcement officials and security experts right now in terms of techniques and tactics, but the good guys are closing the gap and may be able to claim victory within as little as two or three years, people involved in the fight against phishing say.
But that victory, if it comes, will not be easily won.
Experts say that there is no one answer to the question of how to stop phishing.
Consumer education efforts have begun to show results, but 3 to 5 percent of recipients still fall for phishing scams.
Some technology vendors have introduced tools that help uncover fraudulent Web sites, but scammers always seem to be one step ahead with new tricks. And law enforcement officials have made a few high-profile arrests recently, but successful prosecutions of phishers remain rare.
In the end, it will likely be a combination of education, technology, legislation and law enforcement that ends up making a serious dent in the phishing industry.
“I think there will be innovation required to solve this. We have the evolution right now where people are already trying to retrofit their solutions to fit the problem,” said Bill Conner, president and CEO of Entrust Inc., a security vendor based in Addison, Texas. “Were on the beginning edge of the innovation curve there.”
But, Conner said, the government needs to play a prominent role in the fight against phishing, too.
“What we learned [on the National Cyber Security Partnership corporate governance task force] is that DHS [U.S. Department of Homeland Security] didnt have the backbone to do anything on its own. This is the same. Its a Commerce and Justice issue.”
The bulk of the work done in finding and arresting phishers falls to the United States Secret Service and the FBI, which share jurisdiction on electronic fraud. Both agencies have agents trained specifically for fighting online crime, but their personnel and monetary resources only go so far.
“Theyve been very unsuccessful in catching phishers. The criminals are moving targets. They need to dedicate substantial resources to finding them,” said Eric Laykin, a director with Navigant Consulting Inc., in Los Angeles, and an experienced computer crime investigator.
“Its very expensive to follow the trail,” Laykin said. “But we need serious federal leadership on this. I dont see that we are there yet.”
While law enforcement agencies struggle to stem the tide of phishing scams and track down the perpetrators, some legislators have begun to push hard for a national law to help combat identity theft.
Sen. Dianne Feinstein, D-Calif., has introduced a bill that would require all federal agencies and companies conducting interstate commerce to notify customers when their private data is compromised.
And Sen. Patrick Leahy, D-Vt., last month introduced the Anti-Phishing Act of 2005, a bill that would make it illegal to create a Web site or e-mail message that purports to be for a legitimate business but instead attempts to steal personal information with the intent to commit identity theft or fraud.
Meanwhile, security experts say, phishers continue to hone their craft and raise the level of sophistication and authenticity in their scams.
“Theyve become much more sophisticated in the last three to six months. The level is very high. You used to be able to counter it with education, but now all the right hallmarks will be there on the e-mails and Web sites,” said Mark Sunner, chief technology officer of MessageLabs Inc., a New York-based provider of e-mail security services.
“The sophistication we see now is all to do with making them look absolutely perfect,” Sunner said. “The bad guys arent going to stand out anymore. These people know an awful lot about mail.”