The most effective way to combat phishing would be to educate users about identifying spam emails and refrain them from giving away personal info.
Did you ever receive an email where thinking that it was from a genuine
organization, you ended up giving your personal information? This is phishing
for you, which is also referred to as 'brand spoofing'. It is the act of
sending an email to a user, falsely claiming to be an established legitimate
enterprise. It is in an attempt to scam the user into surrendering private
information that will be used for identity theft.
The e-mail directs the user to visit a website where they are asked to update
personal information, such as passwords, credit card number and bank account
numbers, which the legitimate organization already has. The web site, however,
is bogus and set up only to steal the user's information. Government, banks,
financial institutions and online auctions/pay services are common targets of
phishers.
In
addition to the spoofed credentials, the email is usually HTML-based. To an
undiscerning eye, the email bears authentic trademarks, logos, graphics and URLs
of the spoofed company. In many cases, the HTML page is coded to retrieve and
use the actual graphics of the site being spoofed!
Because it is relatively simple to make a website look like a legitimate site
by mimicking the HTML code, the scam scores on people being tricked into
thinking they were actually being contacted by a legitimate company. They
subsequently go to its site to update their account information.
Phishing today is the fastest-growing segment of spam being sent worldwide,
victimizing both legitimate online companies, whose brands are being hijacked
and customers who unwittingly provide their personal information to criminals.
Educating customers about phishing
Can the phishing war be won? Customers could be educated not to trust these
emails, but phishers are getting more sophisticated, and emails more convincing.
Although education and awareness remain the important tools, it is not going to
be enough to combat this menace.
|
It is hence desired that banks and financial institutions, which are
typically targets to phishing, take control and protect their customers. There
are techniques that banks can deploy such as SSL/TLS protocol that secures the
link between customer's web browser and the bank.
Strong Authentication or One Time Passwords (OTP) are some more ways of
protecting customer identities. There are other tools, which users can deploy
based on proven behavioral technology. They help analyze the characteristics of
a web page in real time to determine if it is a spoof site and to deliver a
browser-based warning to consumers before they visit the fraudulent page.
It is the lack of awareness within the user fraternity that increases the
phishing threat. Basically the idea is that bait is thrown out with the hope
that while most will ignore the bait, some will be tempted into biting.
Securing enterprises from attacks
Solution providers can follow these two steps to safeguard their enterprise
customers from phishing attacks:Â
Adopt multi-layered approach: The only effective way to provide
long-term protection against spam is to take a multi-layered approach. This
combines layers of signatures, a variety of heuristics and basic blocking
techniques. Ideally, combinations of heuristic techniques (whether context,
neural networks, Bayesian or algorithm-based) should be used for maximum
detection and minimal false positives-which are emails incorrectly identified as
spam.
Deploy filtering in phases: As enterprises increase the number of spam
filtering mechanisms they have in place, the unintended consequence is that
spammers are now sending out even more messages in order to make a buck. It is
recommended to deploy filtering technology in phases to achieve a more precise
implementation that filters spam specific to department needs and reduces the
risk of false positives.
Tips for everyone
PHISHING GYANÂ DEFINITION: Sending an email pretending to be an established legitimate enterprise to scam the user into surrendering private information that will be used for identity theft
RECENT DEVELOPMENTS: 1. Formation of Phish Report Network, to immediately and securely report fraudulent websites to a central database. Initial participants are Microsoft, eBay, PayPal and Visa. 2. The Anti-Phishing Working Group, a pan-industrial and law enforcement association, focuses on eliminating fraud resulting from phishing and email spoofing
OPPORTUNITY FOR SOLUTIONÂ
PROVIDERS: 1. Deploy filtering technology in phases to achieve a more precise implementation that filters spam, specific to department needs. 2. Take a multi-layered approach that combines levels of signatures, a variety of heuristics and basic blocking techniques11. Don't respond to suspicious emails. A response only confirms the
accuracy of your email address and may result in even more spam.
2. Don't click on the link asking to be taken off the sender's list
in a suspicious email. Senders often use this as a ploy to confirm the
recipient's address, to send more spam.
3. Never submit your credit card or other personal information to
non-secure websites or even within pop-up windows. There should be a locked
padlock icon that appears in yellow, or in a yellow box, on the bottom bar of
the order form Web browser.
4. Use spam filtering or spam-blocking software.
5. Do not send your email address through chat rooms, instant message
services or Internet bulletin boards and newsgroups.
6. Do not give out your primary email address for online registration or
on e-commerce sites. Create another free email address to use more publicly.
7. Be wary of clicking on links in e-mail messages. Links in phishy
e-mail messages often take you directly to fraudulent sites, where you could
unwittingly transmit personal or financial information.
8. Even if the address bar displays the correct Web address, don't risk
being fooled. There are several ways for con artists to display a fake URL in
the address bar on your browser.
9. Type addresses directly into your browser or use your personal bookmarks to
update your account information or change your password.
Sunil Golani is Deputy GM, Technology Services, Ontrack Solutions