As everybody else living on the web I have received phishing mails for years and years. Not very many, they seem to come in waves. Initially these mails were so badly written and composed that I found them hilarious or, depending on my mood of the day, annoying for the total leg of respect for my intellect as a “target”.
Whether it is related or not but since my account was breached in the Adobe hack a few weeks ago I am surfing on a new albeit little wave of incoming phishing mails.
Over time phishing mails have become more convincing. There will be people fooled by the example on the right I am sure (I received this example in my mailbox yesterday). The fear of having a substantial amount of money being debited will have many at least check their accounts. Well that is what they think they will be doing but of course are redirected to a totally different website altogether. This time something called myspringriver.com. The weakest link here is the human factor of coarse.
The Adobe breach once more told us that most people are not understanding the need to create strong and unique passwords: “123456”, “Password” etc .are among the most used. (NB I have been using Lastpass as my multi device secure password manager for two years, and can whole hard-heartedly recommend it to all my readers. I had set a unique 20 character key for my adobe account and after being notified of the hack just generated a new one.)
We will have to introduce new technologies to circumvent the human factor in securing the internet and it users. Not only for the password menace we have ended up with, see for instance Googles initiative.
We also need to establish technologies to ensure the authenticity of senders of mails. I tried PGPmail myself a few weeks ago, but apart from issues that some recipients could not read my mail it took a lot of effort to get others involved in the same methodology as to be able to send encrypted mails end-2-end. This approach is not ripe for mainstream use, so much is obvious.
For banks this all – hacking servers and websites, password sanity, authentication – poses a real problem. But what if we could use the e-mandates model in combination with the relatively secure authentication model of banks? Banks could set up the authentication layer to secure email clients based on the PKI and certificates strength of the e-mandates infrastructure that should be in place in 2015. This way banks can give something back to society as well.
NB To me this phishing mail was not very convincing to start with for I do not have an AmEx card.