Phishing is a relatively new form of online fraud that focuses on fooling victim into providing sensitive financial or personal information to a bogus website that bears a significant resemblance to a tried and true online brand. Typically, victim provides information into a form on imposter site, which then relays information to fraudster.
Although this form of fraud is relatively new, its prevalence is exploding. From November 2003 to May 2004, Phishing attacks have increased by 4000%. Compounding issue of increasing volume, response rates for phishing attacks are disturbingly high, sometimes as high as 5%, and are most effective against new internet users who are less sophisticated about spotting potential fraud in their inbox.
Corporations should be concerned with following four issues:
- Protecting employees from fraud
- Reassuring and educating customers
- Protecting their brand
- Preventing network intrusions and dissemination of trade secrets
A failure to succeed in any of these areas could be catastrophic to a company’s ability to function in marketplace. If employees are not protected, company could be held accountable for not putting protections in place to prevent fraud. If a hacker impersonates a company, then company’s reputation and brand may be tarnished or ruined because customers feel that they can no longer trust organization with their sensitive information. And finally, latest trend in phishing has been to socially engineer employees or business partners to divulge sensitive trade secrets to hackers. The implications of employee login information getting into wrong hands could result in grave consequences once hackers are able to “log in” to an employee’s network account using VPN or PC Anywhere software.
Protecting Employees from Phishing
One of best ways to protect employees from Phishing is to prevent spam from ever getting to user’s inbox. Since most phishing attacks proliferate through unsolicited e-mail, spam filtering technologies can be very effective at preventing majority of phishing attempts.
New technologies are also available to help prevent phishing. One such technology offered as a standard by Microsoft and supported by CipherTrust is Sender ID Framework (SIDF), which prevents spammers from obfuscating their IP address by verifying source of each email.
Of course, spam filtering and SIDF cannot solve problem entirely. Many phishing attacks are actually sent on an individual basis to users not protected by cutting edge spam detection technologies. Other attacks are distributed through online email accounts such as Yahoo! Mail, Gmail, MSN, and others. In short, technology alone cannot solve phishing problem. Employees must be educated about phishing and how to spot fraudulent emails and websites.
Reassuring and Educating Customers
Once a consumer receives a fraudulent email that appears to come from a trusted company, he or she may never trust that company’s email communications again. That is damage that is not easily undone. It is essential that organizations communicate openly and frequently about how customers can identify legitimate email communications, and need to report fraudulent ones. For those organizations that frequently process consumer credit card transactions, it is recommended that a special section of site be devoted to helping customers avoid fraud.
Companies that make efforts to educate their customers about phishing are much less attractive targets than those who make no efforts at all. Some examples of organizations that have developed extensive policies around this issue are:
Protecting Company Brand
Each time a phishing attack is launched, a legitimate company’s trademark is tarnished and brand equity is eroded. The more attacks a company suffers, less consumers feel they can trust company’s legitimate email communications or websites. The value of this trust is difficult to quantify – at least until a company begins to lose customers. When customers no longer trust company’s ability to protect their personal information, they often defect to competitors or opt to use more expensive commercial options such as telesales or retail locations.
Clearly goal is to convince fraudsters that your customers will not fall for scam. This is why having an obvious anti-phishing program that is public for all to see can be very effective. The fraudsters tend to follow path of least resistance. Seeing that customers are well informed of how to avoid phishing attacks, perpetrators simply turn their attention to other “softer” targets.
Preventing Network Intrusions and Dissemination of Trade Secrets