DIY Phishing has a Message for Business Continuity

Think you need advanced computer skills to set up a phoney bank website and fool people into giving you their money? Think again. DIY phishing is now on offer in kit form. Someone who knows how to set up a personal website or even a Facebook page probably has the level of knowhow required to get started in fraud and identity theft. For business continuity, the threats are multiplied. Instead of having to deal (only) with specialised cybercriminals, organisations and their employees must now be wary of almost anyone and everyone. But is that such a bad thing?

An investigation by IBM into the growth of new phishing sites revealed that over 90 percent of new phishing sites created (over 3,000 in one week) had been produced using kits. These sites are hosted on compromised servers, the top hosting countries being the US, the UK, Germany, Brazil and Canada, in that order. So now everyone can be a villain. But at the same time, everyone is also a target. Paranoia aside, a good information security strategy is to trust no one until proof of trustworthiness can be obtained. Sean Connery in the film ‘Entrapment’ said it well: ‘First we try, then we trust’.

The democratisation of cyber-crime underlines the requirement for everybody to be aware of information security procedures and to apply them correctly. Corporate use of IT firewalls and anti-virus software is good, systematic encryption of data is better, but getting each individual to consistently and adequately protect information is best. More generally, everybody needs to be in tune with business continuity as well, where threats include cybercrime and many others. While DIY phishing may be a pain to deal with, the positive side is that it can help everyone understand the need to pay attention to all threats to continuity and productivity.