New anti-"phishing" site may sink or swim
PhishTank, a new service from Internet-acceleration startup OpenDNS, wants to rid the Web of "phishing" emails - messages that pose as legitimate customer-service emails from banks and e-commerce websites and try to trick users into revealing their passwords. The site works by collecting examples of suspected phishing emails, and then relies on users to vote on them as legitimate or illegitimate.
The digerati are loving it: Georgia Tech student and former Yahoo intern Paul Stamatiou praises PhishTank for a simple phish-submission process and an open API, or application programming interface, which lets other websites and software makers tap into PhishTank's database of suspicious emails. "Once the PhishTank databases grows, other sites can harness the data using open APIs which will remain free," writes Digital Inspiration blogger Amit Agarwal.
We hate to rain on the PhishTank parade, but that's a mighty big if. What's the incentive for ordinary users to report phishing emails? They're busy enough just deleting spam - and for mere mortals, the distinction between phishing email and spam is exceedingly fine. Our suggestion: Rather than relying on consumers to take time to sort through their emails and report suspected phishes - let alone vote on them after they're submitted - PhishTank should focus on making alliances with big email providers like Microsoft, Google, and Yahoo, to act as a central clearinghouse for anti-"phishing" data.
What's the incentive? People will want to use the PhishTank API for their next web app, product or plugin, so they would help out community and report phishing sites they are aware of, thereby helping the PhishTank community and themselves as they use the service's API.
"What's the incentive for ordinary users to report phishing emails?"
Um, revenge? Phishers occupy an especially low strata on the SPAM totem pole. I for one would love to report phishing e-mail if I thought it would do any good...
Your points are well taken. One of the motivations behind PhishTank is that we already have people sending in phish emails to our support address at OpenDNS. At the very least, this gives them a place where we can manage their awesome enthusiasm in a scalable way. But I'm confident it'll be much more than that for the benefit of a much wider audience.
I like the idea. I get so many fishing eMails that I would be happy to do a bit of voting if this helps to get rid of them in the future.
To respond to Owen Thomas' point, "What's the incentive for ordinary users to report phishing emails?", it's the same idea as private citizens reporting crimes to law enforcement officials.
If someone writes an add-in that would let you simultaneously delete *and* report phishing mail, why not? With an API like this available, that's now possible.
CNNMoney.com Comment Policy: CNNMoney.com encourages you to add a comment to this discussion. You may not post any unlawful, threatening, libelous, defamatory, obscene, pornographic or other material that would violate the law. Please note that CNNMoney.com makes reasonable efforts to review all comments prior to posting and CNNMoney.com may edit comments for clarity or to keep out questionable or off-topic material. All comments should be relevant to the post and remain respectful of other authors and commenters. By submitting your comment, you hereby give CNNMoney.com the right, but not the obligation, to post, air, edit, exhibit, telecast, cablecast, webcast, re-use, publish, reproduce, use, license, print, distribute or otherwise use your comment(s) and accompanying personal identifying information via all forms of media now known or hereafter devised, worldwide, in perpetuity. CNNMoney.com Privacy Statement.