Law enforcement has demonstrated that it's serious about cracking down on phishers, spammers and other nefarious cybercriminal activity, but now is the time for security organizations to launch an antiphishing program to protect customers and employees from the upcoming wave of attacks that will most certainly mark the holiday season.
Phishing is a nagging social problem that preys on users' trust of established brands and confidence in the Internet. The classic phishing scam consists of a plausibly written email message containing a link to a phish website that looks like the real thing, but is designed to steal passwords and account numbers when the unsuspecting user authenticates. While law enforcement is part of the solution to breaking up phishing rings, IT needs to continuously focus on social countermeasures to fight the strength of phishing attacks.
Technical approaches help, but cannot prevent users from clicking through or being redirected to a phish site. The use of SSL and certificates can help prove to the user that they are at the desired website, but are not much help in telling the user when they are being phished. Security-aware DNS services can help reduce transparent redirects to phish websites and antispam technology is imperative in blocking the bulk of phishing-oriented email, but the sheer volume of attack messages makes it likely that some attacks will break through to user inboxes. Security technology cannot be everywhere and user education is still the key in reducing the success rates of phishing attacks.
Even if you have ongoing user education, it's time to give employees and customers at least three antiphishing messages before the holidays. Gift giving of the holiday season and the prospect of launching the New Year with a too-good-to-be-true deal will drive a spike in phishing attacks. A marketing rule of thumb is to "tell, tell, tell" because the listener needs to hear the message three times to be remembered. Spend a few minutes looking at identified phishes to help create an antiphishing educational campaign that reaches its audience via email, video snippets and social communications such as blogs, Twitter and websites.
It is in everybody's best interest to identify and block phishing attacks as quickly as possible, before a customer, prospect or employee falls prey to an attack. Reach out to security vendors and organizations such as the PhishTank to streamline communications when there is a suspected phish. Establish metrics for the number of phish inquiries received, response times to clear and number of phishing complaints to the customer service desk. Protect your business reputation and relationship with users by confirming phishing attacks as rapidly as possible so security vendors can block access. Designate an antiphishing evangelist and offer that resource to employees and customers. The designated person is responsible for tracking phishing attacks against the company, responding to user inquiries about the legitimacy of corporate communications and coordinating policies and procedures amongst security, IT, marketing, customer support and security vendor teams. It is important to have a go-to resource, especially for companies such as online merchants and financial institutions that are commonly phished.
The business model of phishing attacks works because trusting individuals click on a link and enter confidential information that can then be used for financial gain. The strongest recourse is to teach users to recognize the behavior of phishing attacks, to quickly confirm or clear a suspected phishing attack and to continuously evangelize to keep the community aware of the major trends in phishing attacks with recommended preventive actions. Security teams starting now have a chance to protect employees and customers alike for the holiday season and beyond.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.