Phishing is unlike any other malevolent threat prevalent on today’s Internet: viruses, Trojan worms, spam and spyware are mostly irritants at best and in some cases can cost you a little money. However, they are not a potential cause of immediate financial disaster the way phishing can be.
A typical phishing attack has several distinguishable aspects. Analogous to the real world, there is bait and a hook, and then there is a spoofed Web page waiting for an unsuspecting user to submit sensitive information.
The bait is usually a genuine-looking but fraudulent e-mail appearing to be from a trusted entity — a user’s bank or frequently visited auction site, for example. However, bait can also come in the form of instant messages, false advertisements on Web pages, and other forms of electronic communication. Several techniques, both psychological and technical, are used to make a user believe that the e-mail is genuine and trick him or her into doing what the sender wants, which is typically to click on a link in the e-mail or other message. This is where the hook comes into play.
Phishing e-mail almost always contains an embedded link that acts as a hook and leads victims to a phishing Web page — the raison d'être of the whole bait and hook deceit. This Web page is a near identical copy of a Web page of the trusted entity that is being impersonated, with a few crucial elements manipulated. It is generally a copy of a login page or a similar page with a Web form that elicits sensitive information. Everything looks genuine to a non-technical user; only an expert examining the source code would detect the fraud. Some advanced spoofs can also manipulate the URL shown in the address bar of the user’s browser to appear genuine.
At this point, if the user is deceived and submits the information requested on the form, it’s passed on to the counterfeiter and the phishing attack succeeds. The user has been successfully phished. There are two things a company can do to protect employees from phishing scams. The first is to make necessary changes to the IT policy to mandate key safeguards and to educate employees on how to avoid phishing attempts. The second is to implement technical mechanisms to spot and stop phishing e-mail and Web pages before they reach employees.
Employee Education on Phishing Prevention
Educating employees about the phishing phenomenon is imperative for overall protection. Employees who work remotely are becoming increasingly common, posing added risks. The possibility of remote employees’ systems being infected by keylogger or other malicious code via a phishing attack and then spreading the infection to the company network makes education critical.
Employee education should start with a simple test to evaluate awareness and knowledge of phishing. An easy way is to show employees a collection of known phishing attempts, along with genuine e-mail and Web pages, and ask them to identify the authenticity of each. The feedback from the test can be used for further training.
Then, teach employees these protective safeguards and include them in the company’s IT policy:
- Never give out personal, financial or other sensitive information to anyone who requests it. Make sure that you’re using a secure Web site when submitting sensitive information. To make sure you’re on a secure Web server, check the URL in your browser’s address bar — it should begin with “https://” rather than the typical “http://”. Also, there should be a closed-padlock image in the browser’s status bar. To ensure that the padlock image is not fake, double click on it and examine the Web site’s security certificate.
- Be suspicious of e-mail that requests sensitive information because most organizations stopped making such requests via e-mail long ago because this tactic is used in phishing and spoofing schemes. If an e-mail asks for sensitive information, it most likely is a phishing attempt.
- Don’t click on links embedded in an e-mail that seems to come from a bank, financial institution or e-commerce vendor. In other words, for even a remote possibility of that e-mail being spoofed, don’t click on any links in it. Open a new browser window and manually type the site’s URL in the address bar.
- Enter a fake password. When prompted for a password, give an incorrect one first. A legitimate site will not accept the fake, but the phishing site will.
- Don’t fill in forms contained in e-mail that ask for sensitive information. Most responsible organizations don’t use an e-mail form for this purpose, as e-mail is not a secure medium. Submit such information only on secure Web sites.
- Keep your browser and operating system up to date with the most current patches available. Phishing attempts exploit browser vulnerabilities to fool users and install malicious code. Take note of this, especially if using Microsoft Internet Explorer.
- Thoroughly check your credit card and bank account statements regularly and look for any unauthorized charges.
- Always use updated antivirus and firewall software to protect yourself from phishing attempts that try to surreptitiously install malicious software such as keyloggers on your machine.
- When in doubt, check. If you doubt the authenticity of a message, check directly with the institution.
- If you think you have fallen victim to a phishing attack, notify the Federal Trade Commission (www.ftc.gov) and the Internet Crime Complaint Center (www.ic3.gov) and immediately notify your bank, credit card companies and other stakeholders.