The government is failing in its duty to educate the British public about Internet, email and IT security at a time when the risk has never been greater and the US government has embarked on a wide range of educational programmes.
The UK government told Techworld how it expresses concern over new figures that show a rapid increase in the numbers of banking scam emails in circulation, but has no immediate plans to educate consumers about so-called "phishing" attacks.
A report from industry body the Anti-Phishing Working Group (APWG) said that 402 new, unique phishing messages were reported in March, up 43 percent from February and up about 90 percent from January. Another report, released on the same day by managed email provider MessageLabs, said the company's email filters had stopped nearly 216,000 phishing messages in March, up from 279 last September.
The Financial Services Authority, the government body responsible for dealing with banking fraud, agreed the messages pose a problem for the businesses targetted, as well as for consumers. "It is a problem that we are aware of," said spokesman David Cliffe. "This is always the way with criminals, they adapt as quickly as the technology evolves. They are always looking for the next main chance."
The FSA admitted that education was the key to stopping such scams - banks and online retailers never send out emails requesting account information, and once consumers learn this it will be difficult for phishing attacks to succeed - but said it has no plans for a public awareness campaign beyond putting some advice pages on its website. It argues banks' own anti-phishing campaigns are already promoting awareness
"The banks themselves have been doing a lot of education on this matter, and it has received a good deal of publicity in the newspapers," said Cliffe. "There is a lot of awareness of the issue at the moment."
Compare this reticence to the United States, where Congress, the Federal Trade Commission and Department of Homeland Security are all actively promoting education of consumers and businesses regarding cybersecurity.
The FTC has an extensive security section of its website which has had more than 600,000 visits since launching a year-and-a half ago. It also has a mascot called Dewie the e-Turtle which visits schools to educate kids about the risks and dangers of online communications.
The Department of Homeland Security has a National Cyber Security Division that promotes a notification system that alerts subscribers - two million and counting - to potential computer-related threats, such as virulent viruses or pervasive software holes. It also works alongside universities and business to get the service as up-to-date as possible.
A Congressional sub-committee is reviewing what more can be done to increase education among the public, and there have already been calls for higher-education scholarships and federally funded programs to train more technology workers.
The UK equivalent of the National Cyber Security Division, the National Hi-Tech Crime Unit (NHTCU), said it has been pursuing phishing scammers internationally. "This is an active investigation for us and as such I can't say too much, but we have been working with banks and law enforcement agencies over the last few months to track down and catch the criminals behind it," said a spokeswoman.
However, the unit said it is not engaging in public-awareness activities apart from its participation with the media.
Such complacency is not helping matters says David Brunswick, technical director of Tumbleweed Europe, a secure messaging vendor which provides the technical infrastructure for the Anti-Phishing Working Group. "If you think of the signs police use for public awareness, like 'thieves operate in this area' - in the broadest sense, it's a similar kind of problem," he said.
Internationally, law enforcement has become better coordinated in recent months, allowing for faster action when phishing Web sites are detected, according to MessageLabs. A technical solution would be ideal, but fundamental limitations in the Internet make such a fix difficult to come by, according to security experts.
Currently, such definitive information requires an additional layer of security on top of standard email protocols, such as cryptographic email signatures, Brunswick noted. "There is the technology for doing that now, but there's also an education process involved - you have to educate the recipients to expect their email to be signed," he said. Alternative proposals, such as Microsoft's "Caller ID for Email", won't be used widely for upwards of two years, security experts said.