Fighting the Phishing Scare

By Courtney Macavinta

Phishing has become a fact of life for Internet users -- at least one in four Web surfers in the United States alone have been targeted with "spoof" emails that attempt to steal their most sensitive data, according to a recent study by the National Cyber Security Alliance and American Online. The problem: 70% of those surveyed thought the emails were legitimate.

Phishing education and detection may be improving, but the techniques used to hook people are getting more sophisticated as well. Phishing is also still on the rise, as is "pharming," in which large numbers of Internet users click on a familiar link but are unwittingly directed to a bogus Web site. It's getting more difficult for many online users to distinguish between a genuine email from their bank, favorite store, service provider -- or even the IRS -- and a fraudulent email designed to get the reader to divulge personal or financial details. Divulging those details can lead to identity theft-related crimes. For CIOs, phishing is a threat that can degrade their company's reputation, customer trust, and employee safety simultaneously.

"Phishing is a big threat to the integrity of a brand," says Richi Jennings, lead email security analyst for Ferris Research. "If people get phished, that brand's value diminishes because people don't trust the brand. It's important for CIOs to look for phishing attacks -- and do something quickly."

Almost every notable brand has been "hijacked" in a phishing scam -- from Barclays to Bank of America, eBay, Paypal, and Visa. Gartner Inc. reported in June that 2.4 million online consumers said they lost money directly because of the phishing attacks. A 2005 Consumer Reports survey found that consumers who lost money in phishing scams were swindled out of $400 on average. Even though most consumers are reimbursed by their bank or credit card company, the waning trust of consumers can have a detrimental impact on companies that want to interact with the customers online.

Employees getting "spear phished" should be of equal concern, analysts say. Spear phishers will send an email to all the employees at a company that appears to be from the organization. The message might be from "human resources" or the "IT department" asking for the recipient's user system name or password. The scams often aim to gain access to a company's network or payroll system, for example, or to drive recipients to a phony Web site -- just like traditional phishing emails. Spear phishing also threatens overall network security because it can lead to system hacking attempts and the spread of viruses.

To catch phishers before they snare customers or employees, CIOs can be proactive by:

• Protecting your brand "If you're under attack, your brand is under attack," says Avivah Litan, vice president and research director for Gartner Inc. Litan suggests that CIOs make sure their organizations are implementing universal black lists to block phishers, and that they identify spoof sites against their brands and have them taken down immediately.
• Enforcing email best practices Customers often fall for phishing scams because they've been sent emails in the past from a company that included links not from the company's primary domain. Ferris Research's Jennings says it's essential for CIOs to communicate with their organization's marketing department about best practices for sending customers emails. "Be sure that marketing isn't doing things to undermine anti-phishing techniques," he says, "or you could be training users that it doesn't matter if the message doesn't come from [your domain]." Another CIO best practice is to support email authorization standards, such as Domain Keys Identified Mail (DKIM), to help consumers and employees validate that an email from the organization is legitimate.
• Ratcheting up security All experts agree that to catch phishers who are targeting employees, enterprises must become proactive. "CIOs should support the organization's effort and technologies to beef up security for external users, and they need to protect their own internal employees," Litan says. The key is deploying antivirus, content filtering, and anti-spam solutions and filtering and blocking known phishing sites at the Internet gateway.
• Educating customers Though security experts say CIOs can't rely on consumer education alone, it can help curb phishing. "Corporations that have a lot of customers are educating them that they'll never send an email asking you to update private information," Litan says. For instance, organizations can advise their customers that they will not request financial information -- such as account numbers -- via an email and can inform consumers to never click on links or attachments included in such emails. Also, companies such as eBay make a point of encouraging customers to report suspected phishing scams.

Analysts say it's logical that decreasing phishing should be a primary CIO goal. "Protecting the brand is an important function for everyone within the organization," Jennings says. "The CIO needs to take technical measures they can to protect their organization from threats."

Courtney Macavinta is a Silicon Valley-based business and technology writer. Her articles have appeared in CNET News.com, Business 2.0, Red Herring, Wired News, and The Washington Post.