Phishing continues to be one of the most prevalent Internet threats today. But while large enterprises were previously primary targets for such attacks, small and midsize businesses (SMBs) are now becoming popular targets as these companies often lack the ability to protect themselves. In Symantec's Internet Security Threat Report, 87,963 phishing hosts were detected in the second half of 2007, a 167 percent increase from the first half of 2007. Phishing hosts are computers that can host one or more phishing Web sites, which are malicious sites designed to resemble legitimate Web sites. In the past, phishing attacks on businesses have been solely dedicated to larger enterprises. But, this is no longer so. Small businesses are becoming targets of these attacks as they often lack the resources to protect themselves. A Web server belonging to a small company makes an ideal platform for phishers to use as a host, because small businesses often lack full-time administrative or security staff. However, all is not lost. There are a number of precautions that small businesses can take to reduce their exposure to this growing Internet threat. These steps begin with understanding what phishing entails, followed by educating employees and customers about the dangers of phishing.
Basic guidelines for recognizing and avoiding phishing traps include the need to: - Know how phishing attacks work
- Phishing
is an attempt by a third-party to solicit confidential information from
an individual, group, or organization, often for financial gain.
- Phishers
are groups or individuals who attempt to trick their victims into
disclosing personal data, such as credit card numbers, online banking
credentials, and other confidential information. The information can
then be used to commit fraudulent acts.
- In a common scenario,
phishers will send mass e-mail that appear to come from a legitimate
company, and often try to evoke an emotional response to a phony
crisis. Usually a request for sensitive information is made, sometimes
directing the recipient to a spoofed Web page.
- The Web page,
like the e-mail, appears authentic as the phishers often use copyright
images from the original site. In some instances, its URL has been
masked so even the Web address looks real.
- Because the
e-mail and its corresponding Web page's look-and-feel seem bona fide,
the phishers hope at least a fraction of recipients would be fooled
into submitting their personal data, such as passwords and user IDs as
they normally would in the legitimate site.
- The phishers
would then use the data to defraud the victims, for example, by
emptying the victim's bank account, or opening new accounts, or selling
the information on the black market for a profit.
- Be cognizant of phishing attempts
- E-mail
messages asking for confidential information, especially those of a
financial nature, are usually phishing attempts. Since the discovery of
these attempts, financial institutions have discontinued the practice
of asking for sensitive personal information via e-mail. In addition,
e-mail messages from legitimate companies will not usually include
links.
- Should an SMB's employees receive such requests in an
e-mail, the best thing to do is report the incident to anti-phishing
organizations.
- Approach generic requests carefully
- E-mail
with generic-looking requests should immediately raise red flags. Spoof
e-mail messages are usually impersonal, often beginning with "Dear Sir"
or "Dear Madam". Moreover, fake e-mail from financial institutions will
often reference the business or an account they have with that
institution.
- The best way to work around these e-mail messages
is to manually type the actual URL into the address bar on your
browser, so you will be sure that you are accessing the legitimate site.
- Avoid embedded forms
- Embedded
documents or forms should be especially avoided. If employees submit
confidential information on forms embedded in an e-mail message, that
information is at risk of falling into the wrong hands. Never submit
confidential information via forms embedded within e-mail messages.
- Should
employees need to submit corporate credit card numbers or other
confidential information over the Internet, make sure they know the
site is authentic and use encryption to secure the data.
- If a
Web page is encrypted, there should be a "locked" icon in one corner of
the browser and the Web address will begin with "https" rather than
"http". However, some phishing sites place fake lock icons on their
pages, so make sure the icon is part of the browser's window frame--and
not part of the Web page itself.
- Also, having the site's
address begin with https does not necessarily mean the site is secure,
or even authentic. Sophisticated phishers have begun using URL-masking
techniques to mimic the secure addresses of actual companies.
- If
your employees are uncertain if a site is legitimate, have an IT
professional look into it or call the site's owner to confirm the URL's
authenticity.
- Exercise restraint
- Do
not feel pressured into providing sensitive information. Phishers
commonly employ scare tactics, and may threaten to disable an account
or delay services until their targeted victims update certain
information. Instead of giving in to such requests, contact the
merchant directly offline to confirm the authenticity of the request.
As
mentioned above, the new focus on small businesses poses a potential
threat to these enterprises' well-being and their customer base. SMBs
should take the following precautions in order to safeguard their brand
and reassure their customers: - Keep confidential information private
- Businesses
that are serious about their customers' security should never ask their
customers to divulge confidential information. They should also let
their customers know that they will never proactively ask them for such
information via e-mail.
- Lock Web sites and e-mail communication
- It
goes without saying that customers want to make sure their information
is secure when they deal with any business. Organizations have the
opportunity to secure customer deals and clients' loyalty by taking
proactive measure to ensure Web site and e-mail communications are
completely secure and safe.
- Several mechanisms are available
today to promote customer security including smart cards for strong
authentication on Web sites, enhanced DNS (Domain Name Server) to
verify e-mail senders' server addresses, and digital signatures to
confirm the identity of e-mail senders.
- Maintain contact with customers
- Take
action by communicating proactively with customers. By posting regular
messages on their Web site, businesses ensure their customers
understand how they should expect to receive correspondence. It also
gives customers information on how to contact the business if they come
across any unusual or suspicious uses of that business's name.
- Continue vigilance
- Businesses
who keep up-to-date on the Internet security threat landscape will have
an advantage with their customer base. By exercising proper brand
management and awareness, and staying updated of the latest security
hazards, businesses can control the deceitful distribution of their
corporate brand on the Internet and secure their customers' interest
and loyalty.
Every business needs to stay abreast of their own security threats. By
continuing to monitor new phishing attacks and strategies, they can not
only help their employees spot potentially devastating scams, but also
reassure customers that they are making proactive efforts to ensure a
safer online environment for transacting business. These steps will gain customer loyalty, and earn businesses a reputation as a solid and secure business partner. This article is extracted from ZDNet Asia.
|
