Oct 07 2009
It takes a brave man to admit publicly that he almost fell for a phishing email, especially when he’s the head of one of the biggest law enforcement agencies in the world. It takes an even braver man to admit that his wife has forbid him from doing any online banking in the future. But that’s exactly what FBI Director Robert Mueller did earlier this week; he told the world that he almost fell for a phishing scam recently.
I can’t blame Director Mueller in the least. Like most people who have a semi-public email address, I get several hundred spam and phishing emails a day. If I let my account go for a weekend, it’s not uncommon for me to end up with over a thousand messages in my spam folder and 40-50 that make it through several layers of protection to my in box. And of those I can dismiss 90% with a glance. But it’s that last fraction of a percent that really worries me. I have to take a long close look at them and I still don’t know sometimes if they’re really phishing attempts or just poorly written emails from one of the dozens of people I have legitimate business with. If there’s any doubt in the end, I delete them without the email. I’m sure I’ve deleted some real emails from time to time, but I’d rather not take the chance.
I wish it was as easy of saying “You’re bank will never send you a link to click on”, but the truth is there’s a lot of banks that really will send you links in an email. To make matters worse, some of them will use odd domains or redirect through other company domains. It’s easier for them to market too you if they can send you a nice easy link to click on for that new mortgage. And we’ve all encountered marketing and sales professionals who don’t get it even if you try to explain until your blue in the face. Some IT professionals don’t understand it any better and I’ve even run into some security professionals with the same weakness. Phishing emails are purposely confusing and as close as possible to the real thing as they can get in order to get through.
I hate the to bang the drum of “we’re losing the cyberbattle”, but right now, I think the tide is in favor of the bad guys. And I think it’ll get worse before it get’s better. But unlike 10 or even 5 years ago, the FBI and other law enforcement agencies are getting geared up to make a real difference in the war. We’ve got a few years before the tide starts to turn again, but I think we’ll start seeing some effect much sooner. The FBI’s arrest of 33 people in Operation Phish Phry is a good start, but it’s only a drop in the ocean.
Update: Thanks to Walt Conway for letting me know I had the wrong link and sending me one for Operation Phish Phry as well.