So, how do you stop these attacks? Educating your users is the first step. Here is a checklist of basic recommendations to share with your end users to teach them how to avoid phishing schemes.
|How to avoid phishing hooks|
|If you receive an unsolicited or
unexpected email, pop-up message or instant message requesting
personal or financial information, do not reply or click on the
link in the message. Legitimate companies will never ask
for your personal or financial information via email or instant
messenger. If you are concerned about your
account(s), contact the organization in the email using a telephone number you know is genuine, or by opening a new browser session and typing in the company's correct Web address. Do not cut and paste the link that came in the email message.
|Regularly update and patch your Web browser(s). Recent browser vulnerabilities have been used as part of phishing attacks.|
|Never email personal or financial information. If you have to enter your information into an organization's Web site, make sure the site is secure. Check for a lock symbol in the browser bar or make sure the URL starts with "https." Unfortunately, phishers have found ways to duplicate such security indicators and therefore it's best to minimize online transactions as much as possible.|
|Install a Web browser tool bar to help protect you from known phishing Web sites. For example, EarthLink's ScamBlocker (http://www.earthlink.net/earthlinktoolbar) is a free browser toolbar that alerts a user when they visit a fraudulent Web page.|
|Install SpoofStick (http://www.corestreet.com/spoofstick), a browser extension that helps users detect spoofed Web sites. SpoofStick makes it easy to spot a spoofed Web site by prominently displaying the site's URL.|
|Use antivirus software on your workstation and regularly update it. Some phishing emails contain malicious software that can harm your computer or track your activities on the Internet without your knowledge. Antivirus software will prevent this type of software from being installed on your computer.|
|Send all phishing emails you receive to
the following groups:
Phishing attacks are likely to become even more convincing and dangerous. Follow the above steps and you'll avoid getting hooked by an attack.
About the author
Steven Weil, CISSP, CISA, CBCP is senior security consultant with Seitel Leeds & Associates, a full service consulting firm based in Seattle, Washington. Mr. Weil specializes in the areas of security policy development, HIPAA compliance, disaster recovery planning, security assessments, and information security management. He can be reached at firstname.lastname@example.org.
This was first published in June 2005