Investigation of phishing to develop guidelines to protect the Internet consumer's identity against attacks by phishers
The original publication is available at http://www.sajim.co.za/
As widely publicized in the local media (Business Times 2005; Independent Online 2005; Mail & Guardian 2005), the first phishing scam imitating South African banks hit South Africa in May 2005 (Cobbett 2005; Vegter 2005a). Bank clients countrywide received emails purporting to come from local banks, requesting them to verify their personal account information. In response to the scam, all four of the major South African banks posted warnings regarding phishing on their Web sites during the same month (Cobbett 2005). A White Paper on phishing explains that the word phishing originates in the term 'password harvesting fishing' (Honeynet Project and Research Alliance 2005). The Anti-Phishing Working Group (APWG), an industry association focused on eliminating identity theft and fraud that results from the growing phishing problem, describes phishing as a process using spoofed e-mails, designed to lure recipients to Web sites, where phishers attempt to trick consumers into divulging personal financial information, such as passwords and account numbers, in order to commit fraud (Anti-Phishing Working Group 2005). In the often anonymous world of e-commerce, key factors such as passwords and account numbers identify consumers uniquely, in such a way that the Internet user can interact with others and conduct transactions via the Internet. Phishing is an online method that identity thieves can use to obtain the particular sensitive personal information necessary to commit identity theft. According to Roland le Sueur, head of Internet banking at First National Bank, the primary objective of phishing is to obtain money fraudulently from customers (Vegter 2005a). A phisher uses a stolen identity to contact the organization concerned, claiming to be the victim of the phishing attack, in order to illegally transact business with the organization, in the name of the client concerned. Successful phishing of identities therefore leads to significant financial costs and losses for the victims. Identity theft cost Americans $52,6 billion in 2004 alone (Reuters 2005b).