Anti-Phishing Best Practices:

Keys to Aggressively and Effectively Protecting Your Organization from Phishing Attacks

Prepared by James Brooks, Senior Product Manager Cyveillance, Inc.

Anti-Phishing Best Practices

Overview
Phishing is defined by the Financial Services Technology Consortium (FSTC) as a broadly launched social engineering attack in which an electronic identity is misrepresented in an attempt to trick individuals into revealing personal credentials that can be used fraudulently against them. In short, its online fraud to the highest degree. For criminals, phishing has become one of the most common and most effective online scams. The schemes are varied, typically involving some combination of spoofed junk (spam) email, malicious software (malware), and fake Web pages to harvest personal information from unwitting consumers. Customers of well known and lesser-known companies alike have fallen victim to this pervasive form of online fraud. Western Union, AOL, SunTrust, eBay, Amazon, PayPal, EarthLink, and Citibank are just a few examples of the many companies who have found themselves and their customers persistent victims of phishing attacks.

Phishing attacks can cost companies tens to hundreds of thousands of dollars per attack in fraud-related losses and personnel time. Even worse, costs associated with the damage to brand image and consumer confidence can run in the millions of dollars. The goal of any organization that is or may be targeted by phishers is to prevent or minimize the impact of phishing attacks. This can only be achieved by the development and implementation (using in-house or outsourced resources) of a comprehensive phishing protection and response plan. In all cases, the plans success hinges on solid support and ongoing communication throughout the entire organization. Key objectives of an effective phishing protection and response plan should include: Identification of the appropriate stakeholders and their responsibilities clearly expressed Compatibility with existing processes and procedures. Your plan must work within the daily operational flow of business. Depending on the size your organization and availability of resources, the best decision may be to outsource. Creation of an effective internal and external communications process for the organization Creation of a solid phishing response escalation path Minimization or avoidance of negative customer experiences. Preserving consumer confidence in using online services is crucial. Reduction of financial losses associated with online fraud Proactive protection of your corporate reputation 1

During the six-month period ending February 28, 2006, Cyveillance detected phishing attacks against over 250 different brands in eight different industries across 13 countries.

Phishing attacks are growing at a torrid pace the number of unique phishing websites detected by APWG (Anti-Phishing Working Group) in December 2005 alone exceeded 7,000 a huge increase in unique phishing sites from the previous two months. Phishing has a huge negative impact on organizations revenues, customer relationships, marketing efforts, and overall corporate image.

Anti-Phishing Best Practices

A phishing protection plan should focus on four primary areas: Prevention, Detection, Response, and Recovery. High-level recommendations for each of the four areas are outlined in the following sections.

Educate customers about phishing All your customer communications should include clear messaging about phishing prevention. Create corporate policies for email content so that legitimate email cannot be confused with phishing. This includes emails, account statements, direct marketing materials, etc. Be very clear with your customers about the steps they should take if theyve fallen victim to phishing or identity theft. Finally, be sure that your policies about phishing are prominently displayed on your organizations primary website. Follow good customer email practices Dont get too clever with marketing tactics. Use consistent email formats and practices for customer communications. The use of consistent email practices trains your customers to know what to expect upon receiving your email communications, increasing the likelihood that the customer will easily spot a fraudulent email.

Prevention: Make Your Organization a Tough Target

Phishing is not a technology-driven problem. Phishing is first and foremost a human-driven problem that leverages technology. Therefore, phishers will attack trusted brands that provide the least resistance, enabling the highest return for their efforts. Your goal should be to make your organization extremely difficult for phishers to successfully mount an attack. To achieve this degree of difficulty an organization should follow all of the following steps: Establish ownership and accountability of the problem All too often, an organizations first reponse to a phishing attack is reactive and knee-jerk. The attack and its consequences become an organizational hot potato with ambiguity surrounding what to do next. Its crucial to identify a central authority before youre attacked with clear accountability for policy and action. It will streamline communications, critical in the throes of an attack. In addition, set up the appropriate Emergency Response Teams with clearly defined roles and responsibilities. Youll also want to create a Phishing Abuse Hotline or special inbox for customers and employees to report suspicious email messages. Educate employees about phishing Communicate early and often to your employees about your efforts to combat phishing. Make sure staff are well acquainted with the correct policies and procedures to use in the event of a phishing attack.

Good email practices mean never including requests for personal information, attachments, hyperlinks or link obfuscations. Standard, consistent email formats are best.

Conduct a thorough audit and inventory of online assets This includes Registered Domain Names both live and parked, plus all websites with their corresponding URLs that are owned by or affiliated with your organization. Having a complete, organization-wide inventory of all registered domains allows for fast identification of a newly registered domain that may be used as part of a phishing attack. 2

Anti-Phishing Best Practices

Stay abreast of all emerging trends and technologies being deployed by phishers to commit fraud. Particularly today, the news is filled with the latest phishing attacks on global corporations large and small. Whats more, become familiar with professional groups and associations like APWG, the AntiPhishing Working Group (www.antiphishing.org). In addition, build an international network of contacts in the legal, government, and ISP communities. These resources will help to identify the sources of phishing attacks and get Web sites and accounts shut down quickly. Many of these attacks originate outside of the United States, so its crucial to be prepared with a global escalation matrix.

Detection: Speed is Everything

Detection is central to any phishing protection and response plan. The speed of detection is crucial in limiting the amount of fraud losses caused by a phishing attack. Essentially, the longer a phishing site is live (and unnoticed) the more potential it has to cause damage. The steps of detection are shown in the table below and employ a number of strategies for detecting phishing attacks from junk email (spam). Fact is, the best protection from phishing is vigilance. The APWG reports that typical phishing sites are live for an average of 5 days, with some staying live much longer. The sooner a phishing site can be detected, the sooner it can come down. Effective detection methods can reduce the average phishing site takedown time from days to hours.

Table 1: The Six Key Steps to Detection

Step 1 Step 2

Obtain junk email from honey pot accounts. Use pre-sorted email feeds from Internet Service Providers (ISPs) and anti-spam companies. Filter both internally received spam and externally provided email feeds for attacks against your organization. Search the Web to identify any Web sites masquerading as your organizations Web site. Continuously monitor the Internet for suspicious new domain registrations and changes to existing domain registrations. Provide 24x7 coverage of your organizations Fraud Hotline and email inbox

Step 3

Step 4

Step 5

Step 6

Anti-Phishing Best Practices

Response: Communication is Key

Your organizations response to a phishing attack will ultimately determine the extent of the damage caused by the attack. Obviously, the faster a site is brought down the less damage it can cause. How your organization handles the phishing attack will directly impact the effectiveness of the phishing site takedown procedures. Steps to an effective response plan are outlined below: After a phishing site is detected and confirmed, immediately initiate site takedown procedures using your internal staff or outsourced service provider. 1. Assess the size and scope of the phishing attack. 2. Obtain information about the site and the ISP hosting the site. 3. Contact the ISP to request the site to be removedescalate to the ISPs local authorities as needed. 4. Maintain contact with the ISP until the site is brought down and is no longer a threat to your organization. Contact the appropriate individuals based on your organizations escalation procedures. Provide the URL of the detected phishing site(s) to ISPs and security companies. These companies use the URLs to block and/or alert their subscription-based members from gaining access to the fraudulent sites. Notify the appropriate legal authorities to report the crime. Alert your customers. The best way is to

post an alert directly on your Web site with a brief description of the attack. Create a Phishing Site Summary Report after the site is successfully taken down this report will provide important historical evidence for investigative purposes.

Recovery: Have the Process in Place

Recovery from a phishing attack can be just as important as responding to the attack itself. In this phase of your organizations phishing protection and response you need to focus on minimizing the impact of the phishing attack. The steps to an effective recovery plan are listed below: Once a site is shut down, work to gather all forensic information as well as any compromised customer data. Continue monitoring the site for at least ten (10) days to ensure the site doesnt go live again. Have drafted press releases and company statements prepared to address any external inquires from customer or the media regarding a phishing attack.

Legal actions pursued by law enforcement and commercial organizations such as AOL and Microsoft, coupled with significant improvements in investigative and forensics technologies will drastically increase the number of successful phishing prosecutions.

Anti-Phishing Best Practices

Search the Web, message boards, and chat rooms to locate and retrieve your customers stolen credit card and debit card numbers, login names and passwords, and other personal information compromised from the attack. The quick retrieval of this information reduces the overall cost of the phishing attack and significantly improves customer attrition due to fraudrelated events. Conduct a post-mortem on the attack to identify areas for improvement.

About Cyveillance
Cyveillance provides online risk monitoring and management solutions to Global 2000 organizations. The company comprehensively monitors the Internet using patented technology to deliver early warning of risks to information, infrastructure and individuals. Armed with this actionable intelligence and Cyveillances immediate corrective response capabilities, chief security officers can proactively protect their companys reputation, revenues and customer trust. Cyveillance counts over half of the Fortune 50 and three quarters of the top Fortune 500 companies in the financial services, pharmaceutical, energy, and technology industries as clients. For more information, call 1.888.243.0097 or info@cyveillance.com.

Conclusion
Phishing is a problem that will be around for the foreseeable future. Phishing schemes continue to proliferate because they continue to work, becoming more sophisticated and better able to hide from detection. It makes good business sense to take a hard look at your companys readiness, ascertain your preparedness, and devise a solid, aggressive plan to combat the problem of phishing. Doing so is a win-win for the security professional, the customer, and the business as a whole.

1555 Wilson Boulevard Suite 406 Arlington, VA 22209-2405

04/06 Copyright 2006 Cyveillance, Inc. All rights reserved. Cyveillance is a registered trademark of Cyveillance, Inc. All other names are trademarks or registered trademarks of their respective owners.