Will New Domain Names Help Stop Phishing?Written by Jeff on August 24, 2012
The monies lost come as a result of victims falling for scams that trick them into thinking they are visiting a legitimate site when in reality; they are being taken advantage of.
A typical scam may involve crafting an email that is identical to the template used by a bank or other financial institution. Due to the similarity of the mail’s appearance, the victim clicks a link that takes them to a site that is also identical in nature to the financial institution the criminal claims to represent.
Since everything looks right, the victim trusts the site and logs in using their account information, user name and/or password. However instead of a successful login, the victim actually just had their credentials stolen by the criminal who sent them the email in the first place.
Since everything looks legitimate, even down to the domain name, it’s no wonder so many people fall for this type of scam.
Can it be as simple as changing the domain name?
Clever criminals can easily make a domain name look like a legitimate financial institution. For instance, a scam artist may register password-reset.com as a domain name. They can then create subdomains like paypal. password-reset.com, chase. password-reset.com, wellsfargo. password-reset.com or bankofamerica. password-reset.com.
Others play on the fact that people will fail to read the URL completely using bankofmerica.com or payal.com as ways to trick their victims into thinking that they are visiting the actual website. (In case you missed it, the a in America is missing as is the p in pal.)
Sending an email claiming that the recipient needs to click on a link with this naming convention that claims their password needs to be reset could easily lure an unsuspecting victim into believing that the request is legitimate. Especially when you take into consideration how often password databases are compromised these days.
Now the link, and the domain that is displayed in the URL look like the real thing.
To combat this method of trickery, the Internet Corporation for Assigned Names and Numbers, also known as ICANN, had made exclusive addresses available for businesses. So instead of dot-com, a business can register dot-paypal or dot-chase. The thought being that without this exclusive name, the criminals who make their money off of phishing would have a more difficult time tricking their victims.
And many in the financial industry are quick to jump on this bandwagon. So far ICANN reports that industry leading companies have paid over 3.3 million dollars to secure their exclusive name; each one costing 185,000 dollars to register.
But the cost is worth it to the big players. According to Roland LaPlante, executive vice president and chief marketing officer at Afilias “If someone goes to a dot-UBS site,” he said, referring to UBS AG, ”you know you’re getting to your account on UBS.”
Is it really that simple?
While this may seem like a great solution, not everyone in the financial industry is convinced that it is the best for their business. Wells Fargo, for example, has not registered one of the new domains as of yet.
Citing the upfront investment cost and a concern that their online brand will suffer as a result, they are not planning to utilize the new top level domain name for their company’s online presence. “When’s the last time you used a dot-biz or dot-info?” stated Beverly Butler. As the vice president for Wells Fargo’s digital channels group she doesn’t see how this move will benefit the company.
Other financial institutions may also follow suit, especially the smaller ones who cannot afford to pay the upfront costs to register multiple names or have the capital to rebrand themselves in order to stay competitive.
For those on the fence, there is still time to plan their strategy. The new names won’t take effect until the second half of 2013 giving them the opportunity to weigh the pros and cons of staying with the old system, or moving to the new one.
Let us know if you think this strategy will work to keep phishers at bay, or if it just another gimmick that will soon be exploited.