Phishing is a relatively new form of online fraud that focuses on fooling victim into providing sensitive financial or personal information to a bogus website that bears a significant resemblance to a tried and true online brand. Typically, victim provides information into a form on imposter site, which then relays information to fraudster.

Although this form of fraud is relatively new, its prevalence is exploding. From November 2003 to May 2004, Phishing attacks have increased by 4000%. Compounding issue of increasing volume, response rates for phishing attacks are disturbingly high, sometimes as high as 5%, and are most effective against new internet users who are less sophisticated about spotting potential fraud in their inbox.

Corporations should be concerned with following four issues:

1. Protecting employees from fraud
2. Reassuring and educating customers
3. Protecting their brand
4. Preventing network intrusions and dissemination of trade secrets

A failure to succeed in any of these areas could be catastrophic to a company’s ability to function in marketplace. If employees are not protected, company could be held accountable for not putting protections in place to prevent fraud. If a hacker impersonates a company, then company’s reputation and brand may be tarnished or ruined because customers feel that they can no longer trust organization with their sensitive information. And finally, latest trend in phishing has been to socially engineer employees or business partners to divulge sensitive trade secrets to hackers. The implications of employee login information getting into wrong hands could result in grave consequences once hackers are able to “log in” to an employee’s network account using VPN or PC Anywhere software.

Protecting Employees from Phishing

One of best ways to protect employees from Phishing is to prevent spam from ever getting to user’s inbox. Since most phishing attacks proliferate through unsolicited e-mail, spam filtering technologies can be very effective at preventing majority of phishing attempts.

New technologies are also available to help prevent phishing. One such technology offered as a standard by Microsoft and supported by CipherTrust is Sender ID Framework (SIDF), which prevents spammers from obfuscating their IP address by verifying source of each email.

Of course, spam filtering and SIDF cannot solve problem entirely. Many phishing attacks are actually sent on an individual basis to users not protected by cutting edge spam detection technologies. Other attacks are distributed through online email accounts such as Yahoo! Mail, Gmail, MSN, and others. In short, technology alone cannot solve phishing problem. Employees must be educated about phishing and how to spot fraudulent emails and websites.

Reassuring and Educating Customers

Once a consumer receives a fraudulent email that appears to come from a trusted company, he or she may never trust that company’s email communications again. That is damage that is not easily undone. It is essential that organizations communicate openly and frequently about how customers can identify legitimate email communications, and need to report fraudulent ones. For those organizations that frequently process consumer credit card transactions, it is recommended that a special section of site be devoted to helping customers avoid fraud.

Companies that make efforts to educate their customers about phishing are much less attractive targets than those who make no efforts at all. Some examples of organizations that have developed extensive policies around this issue are:

• USBank
• Wells Fargo Bank
• Ebay and PayPal
• Citibank

Protecting Company Brand

Each time a phishing attack is launched, a legitimate company’s trademark is tarnished and brand equity is eroded. The more attacks a company suffers, less consumers feel they can trust company’s legitimate email communications or websites. The value of this trust is difficult to quantify – at least until a company begins to lose customers. When customers no longer trust company’s ability to protect their personal information, they often defect to competitors or opt to use more expensive commercial options such as telesales or retail locations.

Clearly goal is to convince fraudsters that your customers will not fall for scam. This is why having an obvious anti-phishing program that is public for all to see can be very effective. The fraudsters tend to follow path of least resistance. Seeing that customers are well informed of how to avoid phishing attacks, perpetrators simply turn their attention to other “softer” targets.

Preventing Network Intrusions and Dissemination of Trade Secrets

Or: T*ake Y O U R email ba & ack + From Sp@mmers! 0400constrictor bubble snake informational

If you have a business, then you have a spam problem. The efficiencies of communicating through e-mail not only benefit organizations like yours; they also benefit spammers who profit off of sending pernicious e-mails to millions of people every day. In fact, spam is so cost-effective that it costs less than $0.0004 to send a single spam. That’s 25 emails for just one penny!

The Spam Problem

According to Meta Group, “Companies are routinely getting 20,000 daily spam messages, putting significant burden (e.g. bandwidth and storage consumption) on mail relays, SMTP gateways, and internal mail servers.”

To make matters worse, companies have invested millions of dollars in spam-fighting technologies that have been rendered obsolete within months of purchase by innovation of spammers who have found ways to thwart new technologies along way. Examples of spammer ingenuity abound. As recently as mid-2003 Bayesian logic was touted as immutable defense against spam, but by early 2004, most spam had evolved to be “Bayesian-proof”. There are even programs available for download on internet that will “test” your spam for you before you send it to make sure it will get past spam filters.

Clearly, solution is to partner with a company that specializes in fighting spam. Who you choose is a crucial step because you don’t want your solution to become obsolete within a few months, and you certainly don’t want to create a problem with false positives.

Criteria 1 – Diversity – The Cocktail Approach to Filtering Spam

The first step in addressing spam is identifying it. But, unlike viruses, spam identification is not straightforward. There is no “smoking gun” that clearly indicates to a detection system that a message is a spam. For instance, common approach of looking for keywords such as “Viagra” or “Free”, misses many spams. The method of blocking known spammer IP addresses lags and does nothing to deter determined spammers. Any effective spam detection system must employ multiple techniques for identifying and measuring probability that a message is spam including newer heuristic analysis and real-time collaborative spam filtering tools.

Criteria 2 – Flexibility – Different Strokes for Different Folks