Why Not Spam the Phishers?

Phishing is the practice of tricking a victim into revealing personal data. The scammer utilizes the data to obtain control of online accounts belonging to the victim so they can be emptied or used to pursue some further criminal objective. The classic form of phishing involves sending a misleading email to many people in the expectation that some will be duped into clicking a link in the message that opens a webpage which looks like the login page for a genuine service. The victim then tries to log on, and so unwittingly reveals their username and password to the criminals behind the scam. The technique is so effective that there are now many variants, including:

  • smishing, where the bogus message is sent to the victim by SMS instead of email;
  • vishing, where the victim is initially contacted by a voice call; and
  • pharming, where an attempt to visit a genuine website is redirected to a scam site instead.

Phishing is a worldwide problem of enormous scale, and tremendous resources are poured into educating consumers, blocking phishing messages and taking down fraudulent websites. The FBI Internet Crime Report for 2020 said they received well over twice as many complaints about phishing and its variants than the next most common scam. This leads me to ask a simple question: why do we accept that we must only defend against phishing? Why not use the same simple techniques as criminals to attack phishing websites instead?

Imagine a scenario where a bogus SMS message has been sent to thousands of customers of the same telco. The messages will be simple and identical; if you identify the pattern of the message once, then you know identical messages are also fraudulent. The telco may block further instances of the message if the law allows them to. If a telco blocks smishing messages they have protected all their customers, but the phishing website remains online and customers of other businesses may still be lured into visiting it. But the fraudster’s message also included a useful piece of data: the URL of their phishing website. Websites, like any form of electronic communication, can be spammed. And surely there is no business better suited to robotically creating lots of artificial traffic than a telco.

If the phishing website is spammed in large enough volumes then the result is a denial of service attack, making the website unreachable by others. However, the fraudsters would soon recreate the webpage elsewhere, and start directing new victims to the new URL instead. A much smaller volume of spam would be more effective. Robotically entering bogus personal data into the phishing web form would overwhelm the criminals behind the website, whose methods involve taking the data they receive and then manually logging on to other accounts. Even a large team of organized criminals will soon become ineffective if any user data they obtain from a successful phishing attack is drowned by thousands of instances of bogus user data. A properly designed robot could easily generate countless examples of user credentials that look correct but which are useless in practice, meaning the criminals will have no way of telling them apart except by trying them all. The cost of the crime will have been driven up from the perspective of the scammers, but they are not able to steal any more to compensate, effectively making their criminal enterprise too unprofitable to continue.

It is a nice thought experiment, but there is one simple reason why no telco is currently willing to counter spamming this way: liability. It is almost always easier to do nothing than to do something, because if you do something then you are responsible for what you do. Fraudsters are unlikely to complain if their websites have been purposefully spammed, as that would likely mean revealing their identity and location. However, an automated technology designed to identify misleading messages and then robotically spam a URL in that message is bound to encounter some edge cases where it is difficult to distinguish between a message that is genuine and a message that is fraudulent. If a legitimate website was spammed it would likely cause a tremendous brouhaha about compensation and loss of business, as well as hurting the reputation of the telco.

However, this thought experiment may not always prove to be a flight of fantasy. Telcos have often declined to engage in blocking because of the potential liability if they ever blocked legitimate traffic. Laws are being changed in various countries to encourage blocking by specifying when a telco will not be held liable for the blocking of legitimate traffic. These laws are changing in response to the rising volume of spam and fraudulent messages and calls that have been received by consumers. The technology for identifying spam and fraud has improved but is unlikely to ever be 100 percent accurate, which is why the telcos want a change in law before they will take increased responsibility for blocking traffic. If the law surrounding that liability can change because of the perceived need for a more aggressive, technology-led solution to crime, then other laws can change to address other liabilities. It may seem unlikely now, but the robotic spamming of fraudulent websites will get serious consideration if other methods fail to curb phishing.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.