Going phishing

Going phishing

From today’s Guardian:

As scams go, the email was hardly sophisticated. “Hello dear client Barclays Bank,” it warned recipients. “Today our system of safety at night has been cracked!!! It not a joke!!! It is the truth!!! We ask you, in order to prevent problems, to repeat registration of your data. Make it very quickly! Administration Barclays Bank.”

But new research reveals the scale of a fraud which has already cost British banks hundreds of thousand of pounds after customers have been fooled by these apparently crude messages into divulging their online banking passwords to organised criminals.

The survey by the email security consultants MessageLabs will make grim reading for the online banking industry, which now boasts 11 million users. The scams, which first hit Britain last August, may range from the inept to the highly complex but they are starting to hurt.

“Phishing scams are pretty sophisticated, it’s high level social engineering,” said Mark Sunner, chief technical officer at MessageLabs. “They must be working because we are seeing so much of it. All the major banks are saying it’s a problem. Initially they were worried about loss of reputation, now it’s loss of money.”

We need psychiatrists here, folks. For this kind of ‘social engineering’ (nice Orwellian phrase, that) to work, people have to be extraordinarily stupid. Yet they are. That’s also why virus writers increasingly rely on gullible users to open rogue attachments as a way of disseminating malicious code. Why do people fall for this?

Moreover…I first came across the term ‘social engineering’ in Karl Popper’s writings — especially The Open Society and its Enemies. He was attacking ideologies requiring wholesale political reconstruction of society (what he called “utopian social engineering”) because they led inevitably to tyranny and totalitarianism. An open society, in contrast, would be based on step-by-step reform (“piecemeal social engineering”), in which every step could be critically examined and corrected. Seems such a far cry from phishing expeditions.