Fortunately, there are steps you can take to protect your company in the meantime.
BEST PRACTICES:
1. Publish your mail server addresses. Some vendors have already begun incorporating Sender ID into their products, so companies should make sure they record the IP addresses of their outbound mail servers with their ISP or domain name registrar. Companies already register their domain names and corresponding IP addresses so they can receive mail. Rounding up the IP addresses of all servers authorized to send mail on behalf of the company is a relatively simple step. Taking it will ensure that anyone using sender authentication can reject e-mails that attempt to spoof your company.
2. Educate customers. People who know about phishing stand a better chance of resisting a phisher's hook. "While you're waiting for the technology, the best defence is that a consumer has heard of phishing," says Patricia Poss, an attorney with the Bureau of Consumer Protection at the US Federal Trade Commission. "They're going to think twice" about replying to any e-mail or pop-up that requests personal information.
Warn your customers about the dangers of phishing; let them know you'll never ask for their account number, password, Tax ID number or any other personal information via e-mail. Encourage them to avoid clicking on e-mail links to reach you; they should instead type your company's URL directly into a new browser window.
PayPal interrupts its own log-in screens periodically with a phishing warning. "Users have to click through [the warning] to get to the main screen," Miller says. A Security Centre on PayPal's site includes an e-commerce safety guide, fraud protection tips for buyers and sellers, a link to let users report spoof e-mails, and a prominent reminder to log into PayPal by opening a new browser window and typing in the URL.
A target of phishers since early 2003, EarthLink also focuses its efforts on increasing customer awareness, says Linda Beck, executive vice president of operations for the ISP. In addition to creating customer education pieces, EarthLink developed its own ScamBlocker toolbar, which it offers free to anyone on its Web site. ScamBlocker relies on a blacklist of known phisher sites to warn users when they attempt to access a site on that list. (In fact, EarthLink shares blacklist data with eBay, which has its own antifraud toolbar.) EarthLink's education efforts and its investment in developing ScamBlocker appear to be paying off. Although it once got 40,000 calls per attack, EarthLink's call centre now fields from 10,000 to 12,000 phisher-related calls per month. As a result, the cost per attack has fallen from a peak of $US115,000 to a little more than $US40,000.
Companies can also point customers to a free browser extension known as SpoofStick, which can be downloaded at www.corestreet.com/spoofstick. SpoofStick helps users detect a spoof; visiting a spoofed eBay site, for example, brings up a toolbar message along the lines of "You're on 10.19.32.4" instead of "You're on eBay.com".
3. Establish online communication protocols. Now that phishing has become a fact of life, companies need to be careful about how they use e-mail to communicate with customers. In May, Wachovia's phones started ringing off the hook after the bank sent customers an e-mail instructing them to update their online banking user names and passwords by clicking on a link. Although the e-mail was legitimate (the bank had to migrate customers to a new system following a merger), a quarter of the recipients questioned it. Frankly, Wachovia should have known better.
As Wachovia discovered, companies need to think through clearly their customer communication protocols. For example: All e-mails and Web pages should have a consistent look and feel, all e-mails should greet customers by first and last name, and a company shouldn't ask for personal or account data viae-mail. If any time-sensitive personal information is sent through e-mail, it has to be encrypted. Although e-mail marketers may wring their hands at the prospect of not sending customers links that would take them directly to targeted offers, instructing customers to bookmark key pages or linking to special offers from the home page would be a lot more secure.
It also makes sense to revisit what customers are allowed to do on your Web site. They should not be able to open a new account, sign up for a credit card or change their address online with just a password. Although stronger authentication is ideal (see number 6), at minimum companies should acknowledge every online transaction through e-mail and one other method of the customer's choosing (such as calling the phone number on record) so that customers are aware of all online activity on their accounts. And to prevent phishers from copying your online data capture forms, don't put them on your Web site for all to see. Instead, require secured log-in to access e-commerce forms.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.