Keys to Aggressively and Effectively Protecting Your Organization from Phishing Attacks
Overview
Phishing is defined by the Financial Services Technology Consortium (FSTC) as a broadly launched social engineering attack in which an electronic identity is misrepresented in an attempt to trick individuals into revealing personal credentials that can be used fraudulently against them. In short, its online fraud to the highest degree. For criminals, phishing has become one of the most common and most effective online scams. The schemes are varied, typically involving some combination of spoofed junk (spam) email, malicious software (malware), and fake Web pages to harvest personal information from unwitting consumers. Customers of well known and lesser-known companies alike have fallen victim to this pervasive form of online fraud. Western Union, AOL, SunTrust, eBay, Amazon, PayPal, EarthLink, and Citibank are just a few examples of the many companies who have found themselves and their customers persistent victims of phishing attacks.
Phishing attacks can cost companies tens to hundreds of thousands of dollars per attack in fraud-related losses and personnel time. Even worse, costs associated with the damage to brand image and consumer confidence can run in the millions of dollars. The goal of any organization that is or may be targeted by phishers is to prevent or minimize the impact of phishing attacks. This can only be achieved by the development and implementation (using in-house or outsourced resources) of a comprehensive phishing protection and response plan. In all cases, the plans success hinges on solid support and ongoing communication throughout the entire organization. Key objectives of an effective phishing protection and response plan should include: Identification of the appropriate stakeholders and their responsibilities clearly expressed Compatibility with existing processes and procedures. Your plan must work within the daily operational flow of business. Depending on the size your organization and availability of resources, the best decision may be to outsource. Creation of an effective internal and external communications process for the organization Creation of a solid phishing response escalation path Minimization or avoidance of negative customer experiences. Preserving consumer confidence in using online services is crucial. Reduction of financial losses associated with online fraud Proactive protection of your corporate reputation 1
During the six-month period ending February 28, 2006, Cyveillance detected phishing attacks against over 250 different brands in eight different industries across 13 countries.
Phishing attacks are growing at a torrid pace the number of unique phishing websites detected by APWG (Anti-Phishing Working Group) in December 2005 alone exceeded 7,000 a huge increase in unique phishing sites from the previous two months. Phishing has a huge negative impact on organizations revenues, customer relationships, marketing efforts, and overall corporate image.
A phishing protection plan should focus on four primary areas: Prevention, Detection, Response, and Recovery. High-level recommendations for each of the four areas are outlined in the following sections.
Educate customers about phishing All your customer communications should include clear messaging about phishing prevention. Create corporate policies for email content so that legitimate email cannot be confused with phishing. This includes emails, account statements, direct marketing materials, etc. Be very clear with your customers about the steps they should take if theyve fallen victim to phishing or identity theft. Finally, be sure that your policies about phishing are prominently displayed on your organizations primary website. Follow good customer email practices Dont get too clever with marketing tactics. Use consistent email formats and practices for customer communications. The use of consistent email practices trains your customers to know what to expect upon receiving your email communications, increasing the likelihood that the customer will easily spot a fraudulent email.
Good email practices mean never including requests for personal information, attachments, hyperlinks or link obfuscations. Standard, consistent email formats are best.
Conduct a thorough audit and inventory of online assets This includes Registered Domain Names both live and parked, plus all websites with their corresponding URLs that are owned by or affiliated with your organization. Having a complete, organization-wide inventory of all registered domains allows for fast identification of a newly registered domain that may be used as part of a phishing attack. 2
Stay abreast of all emerging trends and technologies being deployed by phishers to commit fraud. Particularly today, the news is filled with the latest phishing attacks on global corporations large and small. Whats more, become familiar with professional groups and associations like APWG, the AntiPhishing Working Group (www.antiphishing.org). In addition, build an international network of contacts in the legal, government, and ISP communities. These resources will help to identify the sources of phishing attacks and get Web sites and accounts shut down quickly. Many of these attacks originate outside of the United States, so its crucial to be prepared with a global escalation matrix.
Step 1 Step 2
Obtain junk email from honey pot accounts. Use pre-sorted email feeds from Internet Service Providers (ISPs) and anti-spam companies. Filter both internally received spam and externally provided email feeds for attacks against your organization. Search the Web to identify any Web sites masquerading as your organizations Web site. Continuously monitor the Internet for suspicious new domain registrations and changes to existing domain registrations. Provide 24x7 coverage of your organizations Fraud Hotline and email inbox
Step 3
Step 4
Step 5
Step 6
post an alert directly on your Web site with a brief description of the attack. Create a Phishing Site Summary Report after the site is successfully taken down this report will provide important historical evidence for investigative purposes.
Legal actions pursued by law enforcement and commercial organizations such as AOL and Microsoft, coupled with significant improvements in investigative and forensics technologies will drastically increase the number of successful phishing prosecutions.
Search the Web, message boards, and chat rooms to locate and retrieve your customers stolen credit card and debit card numbers, login names and passwords, and other personal information compromised from the attack. The quick retrieval of this information reduces the overall cost of the phishing attack and significantly improves customer attrition due to fraudrelated events. Conduct a post-mortem on the attack to identify areas for improvement.
About Cyveillance
Cyveillance provides online risk monitoring and management solutions to Global 2000 organizations. The company comprehensively monitors the Internet using patented technology to deliver early warning of risks to information, infrastructure and individuals. Armed with this actionable intelligence and Cyveillances immediate corrective response capabilities, chief security officers can proactively protect their companys reputation, revenues and customer trust. Cyveillance counts over half of the Fortune 50 and three quarters of the top Fortune 500 companies in the financial services, pharmaceutical, energy, and technology industries as clients. For more information, call 1.888.243.0097 or info@cyveillance.com.
Conclusion
Phishing is a problem that will be around for the foreseeable future. Phishing schemes continue to proliferate because they continue to work, becoming more sophisticated and better able to hide from detection. It makes good business sense to take a hard look at your companys readiness, ascertain your preparedness, and devise a solid, aggressive plan to combat the problem of phishing. Doing so is a win-win for the security professional, the customer, and the business as a whole.
04/06 Copyright 2006 Cyveillance, Inc. All rights reserved. Cyveillance is a registered trademark of Cyveillance, Inc. All other names are trademarks or registered trademarks of their respective owners.