How to avoid phishing hooks: A checklist for your end users

So, how do you stop these attacks? Educating your users is the first step. Here is a checklist of basic recommendations to share with your end users to teach them how to avoid phishing schemes.

How to avoid phishing hooks

If you receive an unsolicited or unexpected email, pop-up message or instant message requesting personal or financial information, do not reply or click on the link in the message. Legitimate companies will never ask for your personal or financial information via email or instant messenger. If you are concerned about your account(s), contact the organization in the email using a telephone number you know is genuine, or by opening a new browser session and typing in the company's correct Web address. Do not cut and paste the link that came in the email message.

Regularly update and patch your Web browser(s). Recent browser vulnerabilities have been used as part of phishing attacks.

Never email personal or financial information. If you have to enter your information into an organization's Web site, make sure the site is secure. Check for a lock symbol in the browser bar or make sure the URL starts with "https." Unfortunately, phishers have found ways to duplicate such security indicators and therefore it's best to minimize online transactions as much as possible.

Install a Web browser tool bar to help protect you from known phishing Web sites. For example, EarthLink's ScamBlocker (http://www.earthlink.net/earthlinktoolbar) is a free browser toolbar that alerts a user when they visit a fraudulent Web page.

Install SpoofStick (http://www.corestreet.com/spoofstick), a browser extension that helps users detect spoofed Web sites. SpoofStick makes it easy to spot a spoofed Web site by prominently displaying the site's URL.

Use antivirus software on your workstation and regularly update it. Some phishing emails contain malicious software that can harm your computer or track your activities on the Internet without your knowledge. Antivirus software will prevent this type of software from being installed on your computer.

Send all phishing emails you receive to the following groups: Anti-Phishing Working Group (reportphishing@antiphishing.com) Federal Trade Commission (spam@uce.gov) The "abuse" email address at the company that is being spoofed (e.g., spoof@ebay.com) These groups use the information they collect on phishing attacks to shut down phishing Web sites and take legal action against phishers.

Phishing attacks are likely to become even more convincing and dangerous. Follow the above steps and you'll avoid getting hooked by an attack.

About the author
Steven Weil, CISSP, CISA, CBCP is senior security consultant with Seitel Leeds & Associates, a full service consulting firm based in Seattle, Washington. Mr. Weil specializes in the areas of security policy development, HIPAA compliance, disaster recovery planning, security assessments, and information security management. He can be reached at sweil@sla.com.

BROWSE BY TAG Application and Platform Security,   Email Protection,   Email and Messaging Threats (spam, phishing, instant messaging),   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Email and Messaging Threats (spam, phishing, instant messaging) Chinese hacker attacks target Google Gmail accounts, top tech firms PDF attack code complicates security analysis, skirts detection Panda warns of American Express phishing scam Active PDF attacks target Reader, Acrobat zero-day vulnerability Yahoo login credentials at risk to hijacking attack The world's top 5 riskiest domains How to secure a .pdf file Top spammer gets four years in jail for stock fraud scheme New Zeus spam poses as Social Security statements Messaging security risks have upper hand on solutions Email and Messaging Threats (spam, phishing, instant messaging) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CAPTCHA  (SearchSecurity.com) crimeware  (SearchSecurity.com) Operation Phish Phry  (SearchSecurity.com) pharming  (SearchSecurity.com) phishing  (SearchSecurity.com) Register of Known Spam Operations  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) Sender Policy Framework  (SearchSecurity.com) spam cocktail  (SearchSecurity.com) spear phishing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary