Security

10 Tips for Phishing Prevention

Here are some phishing protection tips to safeguard your company's network from attack and help your employees spot questionable requests for data.

Phishing is unlike any other malevolent threat prevalent on today’s Internet: viruses, Trojan worms, spam and spyware are mostly irritants at best and in some cases can cost you a little money. However, they are not a potential cause of immediate financial disaster the way phishing can be.

A typical phishing attack has several distinguishable aspects. Analogous to the real world, there is bait and a hook, and then there is a spoofed Web page waiting for an unsuspecting user to submit sensitive information.

The bait is usually a genuine-looking but fraudulent e-mail appearing to be from a trusted entity — a user’s bank or frequently visited auction site, for example. However, bait can also come in the form of instant messages, false advertisements on Web pages, and other forms of electronic communication. Several techniques, both psychological and technical, are used to make a user believe that the e-mail is genuine and trick him or her into doing what the sender wants, which is typically to click on a link in the e-mail or other message. This is where the hook comes into play.

Phishing e-mail almost always contains an embedded link that acts as a hook and leads victims to a phishing Web page — the raison d'être of the whole bait and hook deceit. This Web page is a near identical copy of a Web page of the trusted entity that is being impersonated, with a few crucial elements manipulated. It is generally a copy of a login page or a similar page with a Web form that elicits sensitive information. Everything looks genuine to a non-technical user; only an expert examining the source code would detect the fraud. Some advanced spoofs can also manipulate the URL shown in the address bar of the user’s browser to appear genuine.

At this point, if the user is deceived and submits the information requested on the form, it’s passed on to the counterfeiter and the phishing attack succeeds. The user has been successfully phished. There are two things a company can do to protect employees from phishing scams. The first is to make necessary changes to the IT policy to mandate key safeguards and to educate employees on how to avoid phishing attempts. The second is to implement technical mechanisms to spot and stop phishing e-mail and Web pages before they reach employees.

Employee Education on Phishing Prevention

Educating employees about the phishing phenomenon is imperative for overall protection. Employees who work remotely are becoming increasingly common, posing added risks. The possibility of remote employees’ systems being infected by keylogger or other malicious code via a phishing attack and then spreading the infection to the company network makes education critical.

Employee education should start with a simple test to evaluate awareness and knowledge of phishing. An easy way is to show employees a collection of known phishing attempts, along with genuine e-mail and Web pages, and ask them to identify the authenticity of each. The feedback from the test can be used for further training.

Then, teach employees these protective safeguards and include them in the company’s IT policy:

Never give out personal, financial or other sensitive information to anyone who requests it. Make sure that you’re using a secure Web site when submitting sensitive information. To make sure you’re on a secure Web server, check the URL in your browser’s address bar — it should begin with “https://” rather than the typical “http://”. Also, there should be a closed-padlock image in the browser’s status bar. To ensure that the padlock image is not fake, double click on it and examine the Web site’s security certificate.

Be suspicious of e-mail that requests sensitive information because most organizations stopped making such requests via e-mail long ago because this tactic is used in phishing and spoofing schemes. If an e-mail asks for sensitive information, it most likely is a phishing attempt.

Don’t click on links embedded in an e-mail that seems to come from a bank, financial institution or e-commerce vendor. In other words, for even a remote possibility of that e-mail being spoofed, don’t click on any links in it. Open a new browser window and manually type the site’s URL in the address bar.

Enter a fake password. When prompted for a password, give an incorrect one first. A legitimate site will not accept the fake, but the phishing site will.

Don’t fill in forms contained in e-mail that ask for sensitive information. Most responsible organizations don’t use an e-mail form for this purpose, as e-mail is not a secure medium. Submit such information only on secure Web sites.

Keep your browser and operating system up to date with the most current patches available. Phishing attempts exploit browser vulnerabilities to fool users and install malicious code. Take note of this, especially if using Microsoft Internet Explorer.

Thoroughly check your credit card and bank account statements regularly and look for any unauthorized charges.

Always use updated antivirus and firewall software to protect yourself from phishing attempts that try to surreptitiously install malicious software such as keyloggers on your machine.

When in doubt, check. If you doubt the authenticity of a message, check directly with the institution.

If you think you have fallen victim to a phishing attack, notify the Federal Trade Commission (www.ftc.gov) and the Internet Crime Complaint Center (www.ic3.gov) and immediately notify your bank, credit card companies and other stakeholders.

Based in Helsinki, Finland, S.G. Masood is an anti-phishing researcher at F-Secure Corp. (www.f-secure.com)

Apply these Technical Safeguards

The two components of a phishing attack — a spoofed e-mail and a spoofed Web page to collect sensitive data — are independent of each other and should be tackled separately. A comprehensive solution should address both components at the gateway and desktop level.

Gateway Level: Just like regular spam and malware, phishing e-mail should be stopped at the entry point, which is the SMTP gateway. Most anti-spam and anti-malware vendors have integrated anti-phishing protection in their gateway products. This effectively stops phishing e-mail from reaching users inside the network. Phishing Web pages can be filtered at the gateway using a Web proxy. Products that do this are not as commonplace in the market as SMTP gateway anti-phishing products for e-mail.

Desktop level: An anti-phishing product for e-mail clients on desktop PCs provides an additional safeguard. Client software can work either independently or in tandem with the gateway application and is a great way to protect employees who work from home or who notebook PCs.

Anti-phishing protection for browsers on desktops is also available through browser toolbars or plug-ins that intercept HTTP traffic requested by the user, examine it and take action when it detects a phishing attack. The plug-ins can block malicious Web pages or just warn a user that a page is a phishing attempt. Some of these products provide information to users about the domain and the URL of suspect pages, such as true domains and the countries of origin for site hosts, hosting provider details and any past record of having hosted phishing sites. Such information can help users make informed decisions about the authenticity of the Web pages they visit.

Most browser plug-ins depend on the browser for access to the HTTP traffic and for communicating their warnings and information to the user. But some desktop software takes a different but interesting approach, working independently from the browser and inspecting the HTTP traffic at the socket level. This makes them invulnerable to tactics used by phishers to exploit browser vulnerabilities to subvert them, among other advantages. Also, browser independence ensures that phishers can’t easily spoof the alerts and warnings generated by the anti-phishing programs, as they possibly can do with browser toolbars.