Will New Domain Names Help Stop Phishing?

Written by Jeff on August 24, 2012
In 2011, Phishing cost the financial industry alone and estimated 2.5 billion dollars according to Avivah Litan, an Internet Fraud Analyst at Gartner, Inc.

The monies lost come as a result of victims falling for scams that trick them into thinking they are visiting a legitimate site when in reality; they are being taken advantage of.

A typical scam may involve crafting an email that is identical to the template used by a bank or other financial institution. Due to the similarity of the mail’s appearance, the victim clicks a link that takes them to a site that is also identical in nature to the financial institution the criminal claims to represent.

Since everything looks right, the victim trusts the site and logs in using their account information, user name and/or password. However instead of a successful login, the victim actually just had their credentials stolen by the criminal who sent them the email in the first place.

Since everything looks legitimate, even down to the domain name, it’s no wonder so many people fall for this type of scam.

Can it be as simple as changing the domain name?

Clever criminals can easily make a domain name look like a legitimate financial institution. For instance, a scam artist may register password-reset.com as a domain name. They can then create subdomains like paypal. password-reset.com, chase. password-reset.com, wellsfargo. password-reset.com or bankofamerica. password-reset.com.

Others play on the fact that people will fail to read the URL completely using bankofmerica.com or payal.com as ways to trick their victims into thinking that they are visiting the actual website. (In case you missed it, the a in America is missing as is the p in pal.)

Sending an email claiming that the recipient needs to click on a link with this naming convention that claims their password needs to be reset could easily lure an unsuspecting victim into believing that the request is legitimate. Especially when you take into consideration how often password databases are compromised these days.

Now the link, and the domain that is displayed in the URL look like the real thing.

To combat this method of trickery, the Internet Corporation for Assigned Names and Numbers, also known as ICANN, had made exclusive addresses available for businesses. So instead of dot-com, a business can register dot-paypal or dot-chase. The thought being that without this exclusive name, the criminals who make their money off of phishing would have a more difficult time tricking their victims.

And many in the financial industry are quick to jump on this bandwagon. So far ICANN reports that industry leading companies have paid over 3.3 million dollars to secure their exclusive name; each one costing 185,000 dollars to register.

But the cost is worth it to the big players. According to Roland LaPlante, executive vice president and chief marketing officer at Afilias “If someone goes to a dot-UBS site,” he said, referring to UBS AG, ”you know you’re getting to your account on UBS.”

Is it really that simple?

While this may seem like a great solution, not everyone in the financial industry is convinced that it is the best for their business. Wells Fargo, for example, has not registered one of the new domains as of yet.

Citing the upfront investment cost and a concern that their online brand will suffer as a result, they are not planning to utilize the new top level domain name for their company’s online presence. “When’s the last time you used a dot-biz or dot-info?” stated Beverly Butler. As the vice president for Wells Fargo’s digital channels group she doesn’t see how this move will benefit the company.

Other financial institutions may also follow suit, especially the smaller ones who cannot afford to pay the upfront costs to register multiple names or have the capital to rebrand themselves in order to stay competitive.

For those on the fence, there is still time to plan their strategy. The new names won’t take effect until the second half of 2013 giving them the opportunity to weigh the pros and cons of staying with the old system, or moving to the new one.

Let us know if you think this strategy will work to keep phishers at bay, or if it just another gimmick that will soon be exploited.

Comments

George Carlisle August 27, 2012

I think the solution is pretty simple: pay attention. It
does not take a lot of time to CAREFULLY read the e-mail addresses for God’s
sake. Seriously it definitely annoys me when people, even businesses, start
talking about they’ve become victims of “phishing,” giving away their passwords
entirely for free and without sweat. I’d say, “Why don’t you go read who sent
the e-mail to you first?”

Here is another thing: give your bank or whatever business
you’re talking to a call. Normally they send out mass e-mails to their subscribers
or customers. They reach out not only to
you.

Bernie Sanchez August 27, 2012

Whoa! That’s a whole lot of money and definitely something
small businesses can afford. I hope this website will also provide statistics
on small businesses that have fallen victims to phishers. This way, we can
really measure if this ICANN decision is logical. If there are several small
businesses that are also affected by phishers, I don’t know how spending more
than a thousand dollars can eventually help them. In fact, I could even believe
that their start-up capital is way smaller than this investment on their domain
name. At that point, this proposition is nothing but completely silly, out of
this world, useless. Peace out!

Karen August 27, 2012

Honestly this is so laughable.
Seriously, spending hundreds of thousands of dollars for “domain name
exclusivity?” Phishers are smart, you know. Otherwise, these people in the
government could have already arrested majority of them. Sooner or later, these
phishers will eventually find out—or perhaps they already know about it, thanks
for the special announcement, ICANN—and they will discover how to go around it.
Should this happen, what will become of the “investment”? It goes poof! Nada! I
will pity Paypal, Chase, and all these companies even if they have a lot of
money to buy these special domain names.

Sam Moran August 27, 2012

@George: Harsh words, George,
harsh words. But you do make a lot of sense, though. But I guess one of the
primary reasons why people don’t read e-mail addresses is because panic attack
overcomes them. “Who in the hell is trying to access my account?” That should
scare you off.

Honestly I’m hoping the
government can help the industry by getting into the roots. Spending hundred
thousand dollars for an exclusive domain name is just a band-aid solution. The
main problem is phishing itself. Once it’s shaken down, no business has to
spend that huge amount of money for protection.

Nympha Robles August 27, 2012

@George, I definitely get your
point, and I normally say or think the same thing. However, if you will read
the article very carefully, it says that sometimes these phishers trick us with
almost-similarly-spelled e-mail addresses. You have got to admit that sometimes
the eyes can trick us, or perhaps our brain already fills out the details once
we can read the first and the last letters or syllables. I would not really
blame phisher victims for that. I can’t
fully understand this move by ICANN, though it sounds promising. Needless to
say, it’s a huge dent on the pockets.

Michael Monner August 28, 2012

To
answer the question, I don’t think it will solve the problem at all. You see,
scammers will always have a way with things, and they’re going to figure out
how to beat the new system. That would then be unfortunate to these huge companies
who are spending a lot of money when they could have used it for something
else, perhaps for more effective security protection. I think that the bulk of
the responsibility comes from the users as well as the government. I know we have
the law in place. It’s just a matter of implementing it correctly.

Stephanie August 28, 2012

I
think this is a novel move, something that would shake up phishers so they
wouldn’t be able to attack people that easily. Hopefully ICANN and other
concerned organizations can use the time to eventually put these scammers
behind bars. What I’m concerned about, like most of the people, here is the
cost of doing it. It’s too damn expensive, and we haven’t any news yet if this
actually really works or not. So there’s a huge risks. If it fails, then it
becomes one very costly mistake. I also agree with @Bernie. It’s an impractical
system for small businesses that need protection too.

  • (required)
  • (required)