Will New Domain Names Help Stop Phishing?

In 2011, Phishing cost the financial industry alone and estimated 2.5 billion dollars according to Avivah Litan, an Internet Fraud Analyst at Gartner, Inc.

The monies lost come as a result of victims falling for scams that trick them into thinking they are visiting a legitimate site when in reality; they are being taken advantage of.

A typical scam may involve crafting an email that is identical to the template used by a bank or other financial institution. Due to the similarity of the mail’s appearance, the victim clicks a link that takes them to a site that is also identical in nature to the financial institution the criminal claims to represent.

Since everything looks right, the victim trusts the site and logs in using their account information, user name and/or password. However instead of a successful login, the victim actually just had their credentials stolen by the criminal who sent them the email in the first place.

Since everything looks legitimate, even down to the domain name, it’s no wonder so many people fall for this type of scam.

Can it be as simple as changing the domain name?

Clever criminals can easily make a domain name look like a legitimate financial institution. For instance, a scam artist may register password-reset.com as a domain name. They can then create subdomains like paypal. password-reset.com, chase. password-reset.com, wellsfargo. password-reset.com or bankofamerica. password-reset.com.

Others play on the fact that people will fail to read the URL completely using bankofmerica.com or payal.com as ways to trick their victims into thinking that they are visiting the actual website. (In case you missed it, the a in America is missing as is the p in pal.)

Sending an email claiming that the recipient needs to click on a link with this naming convention that claims their password needs to be reset could easily lure an unsuspecting victim into believing that the request is legitimate. Especially when you take into consideration how often password databases are compromised these days.

Now the link, and the domain that is displayed in the URL look like the real thing.

To combat this method of trickery, the Internet Corporation for Assigned Names and Numbers, also known as ICANN, had made exclusive addresses available for businesses. So instead of dot-com, a business can register dot-paypal or dot-chase. The thought being that without this exclusive name, the criminals who make their money off of phishing would have a more difficult time tricking their victims.

And many in the financial industry are quick to jump on this bandwagon. So far ICANN reports that industry leading companies have paid over 3.3 million dollars to secure their exclusive name; each one costing 185,000 dollars to register.

But the cost is worth it to the big players. According to Roland LaPlante, executive vice president and chief marketing officer at Afilias “If someone goes to a dot-UBS site,” he said, referring to UBS AG, “you know you’re getting to your account on UBS.”

Is it really that simple?

While this may seem like a great solution, not everyone in the financial industry is convinced that it is the best for their business. Wells Fargo, for example, has not registered one of the new domains as of yet.

Citing the upfront investment cost and a concern that their online brand will suffer as a result, they are not planning to utilize the new top level domain name for their company’s online presence. “When’s the last time you used a dot-biz or dot-info?” stated Beverly Butler. As the vice president for Wells Fargo’s digital channels group she doesn’t see how this move will benefit the company.

Other financial institutions may also follow suit, especially the smaller ones who cannot afford to pay the upfront costs to register multiple names or have the capital to rebrand themselves in order to stay competitive.

For those on the fence, there is still time to plan their strategy. The new names won’t take effect until the second half of 2013 giving them the opportunity to weigh the pros and cons of staying with the old system, or moving to the new one.

Let us know if you think this strategy will work to keep phishers at bay, or if it just another gimmick that will soon be exploited.

Written by Jeff

0 Comments

  1. George Carlisle · August 27, 2012

    I think the solution is pretty simple: pay attention. It
    does not take a lot of time to CAREFULLY read the e-mail addresses for God’s
    sake. Seriously it definitely annoys me when people, even businesses, start
    talking about they’ve become victims of “phishing,” giving away their passwords
    entirely for free and without sweat. I’d say, “Why don’t you go read who sent
    the e-mail to you first?”

    Here is another thing: give your bank or whatever business
    you’re talking to a call. Normally they send out mass e-mails to their subscribers
    or customers. They reach out not only to
    you.

  2. Bernie Sanchez · August 27, 2012

    Whoa! That’s a whole lot of money and definitely something
    small businesses can afford. I hope this website will also provide statistics
    on small businesses that have fallen victims to phishers. This way, we can
    really measure if this ICANN decision is logical. If there are several small
    businesses that are also affected by phishers, I don’t know how spending more
    than a thousand dollars can eventually help them. In fact, I could even believe
    that their start-up capital is way smaller than this investment on their domain
    name. At that point, this proposition is nothing but completely silly, out of
    this world, useless. Peace out!

  3. Karen · August 27, 2012

    Honestly this is so laughable.
    Seriously, spending hundreds of thousands of dollars for “domain name
    exclusivity?” Phishers are smart, you know. Otherwise, these people in the
    government could have already arrested majority of them. Sooner or later, these
    phishers will eventually find out—or perhaps they already know about it, thanks
    for the special announcement, ICANN—and they will discover how to go around it.
    Should this happen, what will become of the “investment”? It goes poof! Nada! I
    will pity Paypal, Chase, and all these companies even if they have a lot of
    money to buy these special domain names.

  4. Sam Moran · August 27, 2012

    @George: Harsh words, George,
    harsh words. But you do make a lot of sense, though. But I guess one of the
    primary reasons why people don’t read e-mail addresses is because panic attack
    overcomes them. “Who in the hell is trying to access my account?” That should
    scare you off.

    Honestly I’m hoping the
    government can help the industry by getting into the roots. Spending hundred
    thousand dollars for an exclusive domain name is just a band-aid solution. The
    main problem is phishing itself. Once it’s shaken down, no business has to
    spend that huge amount of money for protection.

  5. Nympha Robles · August 27, 2012

    @George, I definitely get your
    point, and I normally say or think the same thing. However, if you will read
    the article very carefully, it says that sometimes these phishers trick us with
    almost-similarly-spelled e-mail addresses. You have got to admit that sometimes
    the eyes can trick us, or perhaps our brain already fills out the details once
    we can read the first and the last letters or syllables. I would not really
    blame phisher victims for that. I can’t
    fully understand this move by ICANN, though it sounds promising. Needless to
    say, it’s a huge dent on the pockets.

  6. Michael Monner · August 28, 2012

    To
    answer the question, I don’t think it will solve the problem at all. You see,
    scammers will always have a way with things, and they’re going to figure out
    how to beat the new system. That would then be unfortunate to these huge companies
    who are spending a lot of money when they could have used it for something
    else, perhaps for more effective security protection. I think that the bulk of
    the responsibility comes from the users as well as the government. I know we have
    the law in place. It’s just a matter of implementing it correctly.

  7. Stephanie · August 28, 2012

    I
    think this is a novel move, something that would shake up phishers so they
    wouldn’t be able to attack people that easily. Hopefully ICANN and other
    concerned organizations can use the time to eventually put these scammers
    behind bars. What I’m concerned about, like most of the people, here is the
    cost of doing it. It’s too damn expensive, and we haven’t any news yet if this
    actually really works or not. So there’s a huge risks. If it fails, then it
    becomes one very costly mistake. I also agree with @Bernie. It’s an impractical
    system for small businesses that need protection too.

Leave A Reply