Has The Strong Pound Made Britain The World’s Phishing Capital?

The UK attracts more phishers than anywhere else in the world, according to RSA, and it’s the leader by quite some way, largely because of how strong the pound is.

Speaking at the RSA Anti-Fraud Command Center in Tel Aviv, Israel, RSA, the security arm of storage firm EMC, estimated that in 2012, phishing attacks in the UK acquired $615,243,744 for the attackers. That’s well over twice as much as in the US, where they made $245,476,572.

RSA got these numbers by using what it claims are accepted industry figures, which suggest every hour a phishing attack is live, the affected bank loses $300. The industry reckons the median life span for a phishing attack is 11 hours 45 minutes, so every phish equals a loss of approximately $3,500. To get to its $615m figure for the UK, RSA just took the number of attempts it saw during 2012 and did the maths.

Phishing crooks cashing in

But how has such a small island become the phishing capital of the world, one where phishing victims lose almost three times as much as the US, which has over three times the population? According to Linor Kessem, technical lead for knowledge delivery at the AFCC, it’s largely because of how comparatively strong the UK currency is.

“It’s just worth it,” she tells TechWeekEurope. “All these other currencies are just not as good.

“Most fraudsters are from countries where the currency is way, way lower.”

There are other reasons for the phishing fun that goes on in the UK, of course. High Internet usage is another factor. What about British gullibility though? Do we simply simply fall for scams easier than others?

No, it’s simply that crooks want to get at British banks so badly, they’ve honed their phishing attacks accordingly, says Daniel Cohen, head of knowledge delivery at the centre. “It’s very easy to be gullible today… they create spitting images of legitimate websites.”

Perhaps what is most concerning, for British law enforcement at least, is these phishers have connections. Whilst many of them operate outside of the UK border, RSA knows they are working with crooks inside Britain to pilfer money from banks. And they aren’t just lowly money mules for foreign crooks, they’re doing the attacks themselves, Kessem says.

“It’s really interesting. Although there are a lot of criminals from the outside always going after banks, consumers and money in general, in the UK they need insiders, who really do the bulk of the work there,” she adds.

“It’s partly because of the accent. You can’t call a bank and sound weird. you have to sound like a local if you really want to make the transaction goes through.

“The fraudsters also know they will come up against two-factor authentication, so they are going to get people who work for the mobile providers. They know that they might need people to walk into the branch.

“We are seeing a lot of local fraud [in the UK] from people in the UK who are accomplices for people from the outside or to people in the UK too.”

Breaking the banks

When TechWeek took a tour of the AFCC, it was clear what Cohen was getting at when he said the fraudsters were getting awfully good at cloning sites to pilfer data.  RSA showed us one of the phishing attacks that had only just caught that day. The phishing page itself looked exactly like a major UK bank’s login page, one that your correspondent knows well, but as soon as a user typed in their credentials, it took them through to a webpage asking for a tonne of other details, such as address and contact details. That’s something the official bank site would never do.

As soon as RSA sees such attacks, it contacts the owner of the website, and the relevant ISPs and hosts, sending them cease and desist letters. They can do little more at this stage, but it should at least scare the attackers off. In the attempt on the UK banking customer, RSA had to contact a site that had been compromised to serve up the phishing page.

Analysts – computer science students brought in from nearby universities – identify phishing attacks, which are displayed on wall-mounted screens containing core pieces of information. That data shows which hosts are unwittingly helping to  run the illicit activity, including the likes of Amazon and Go Daddy, and the affected RSA customers.

Idan Aharoni, head of cyber intelligence at RSA’s Anti-Fraud Command Center in Tel Aviv, told TechWeekEurope his team saw illicit activity across the UK, but East London is home to plenty of nefarious online actions, largely because of its diverse population. “Relatively, in the more recent investigations we did, we saw the fraudsters located in the eastern part of London,” he said.

Are you a security pro? Try our quiz!