Phishing reels in big bucks from enterprises

"There is a new phishing attack out now that everyone should be aware of." Actually, that line can be repeated every few weeks and refers to no specific "new" attack. It doesn't matter what the new attack actually is, but at least the word is getting out that there is a problem.

Security professionals have to figure out what to do about these scams. Generally phishing is successful because the victim believes that they are receiving a message from their bank, vendor, credit card company, etc. The attacks have been enabled because just about all organizations are trying to reduce costs by taking advantage of the Internet. They have taken the cheap way out, and started distributing information, statements and other documents through e-mail.

There are security measures that could be taken and that the general public must get used to. For example, formal communications could include a digital signature. There could be a third party verification process through a trusted source embedded in all formal e-mail communications. If companies do want to continue to make use of e-mail, they have to make better use of available security technologies, but more importantly, they will have to educate their customers on how to use the technologies. This is not easy.

A recent Gartner Group study puts financial losses of phishing attacks at more than $2 billion annually. Let's face it, phishing losses are only going to increase. Has someone looked at the actual costs of what it takes to mail things out? Is it more or less? Given that e-mail is costing companies billions a year via phishing fraud, that is a cost they have to calculate into their cost benefit analysis of moving to e-mails.

Companies started moving toward electronic communications when they believed that it was more economical than printing up and mailing millions of pages of statements. Many companies communicate that way, but that was before there was a real cost to sending out these e-mails.

Now there is a cost. As individuals get used to receiving business communications over the Internet, they will continue to believe messages that appear to be formal. Unfortunately, it is clear that criminals are very willing to take advantage of this social phenomenon.

It is time for the business world to start taking a serious look at the losses that they have created through cost cutting measures, and figure out if the losses are larger than the savings, or likely to start approaching those numbers. One solution is for companies to make ISPs better filter out attacks. To this day, it still amazes me how little ISPs do to protect their networks from being used as conduits for attacks.

As I mention in my Winkler Act article, ISPs should be required to better detect when zombie computers [that enable spam and phishing attacks] are sitting on their networks. I know that ISPs are considered a "Publisher" under certain laws. It does not, however, mean that they have to be stupid and let their storage and bandwidth be used by criminals.

Businesses should start working with ISPs to get them to enact stronger misuse and abuse protections. It is clearly the criminals who are at fault. However, until we can completely eradicate them, which is unlikely, we need to require businesses to take protective measures if they want to enjoy the benefits of cost savings by moving to the Internet. We all end up paying for the criminals. I would prefer to pay for a fundamentally more secure system that prevents current and future attacks, instead of just paying for attacks as they occur.

About the author
Ira Winkler, CISSP, CISM, has almost 20 years of experience in the intelligence and security fields and has consulted to many of the largest corporations in the world. He is also author of the forthcoming book, Spies Among Us.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threats Five common application-level attacks and the countermeasures to beat them Five common application-level attacks and the countermeasures to beat them Symantec threat report: A closer look Mail Call: Setting acceptable use and security expectations will minimize e-mail risk. Phishing: The business risks and strategies for mitigating them Adware, rootkits and worms: Translating malware speak Five malicious code myths -- and how to protect yourself in 2005 Spamming the universe Phishing: A whale of a problem for enterprises Don't get caught in the spam and malware web Guest Commentary Google hacking exposes a world of security flaws Eliminating the threat of spam email attacks Outsourcing IT services: Is it worth the security risk? How permanent is your storage solution? Honeypots can strengthen reconnaissance and lower intrusion noise Freedom of speech or lack of professional responsibility? This year compliance, next year control Senior security member explains his position on Abagnale Computer Security Institute's leader responds to Abagnale flap Spokesman or poster child? Network Intrusion Prevention (IPS) Network intrusion prevention systems: Should enterprises deploy now? What security risks do enterprise honeypots pose? What are the benefits of 'in-the-cloud' network security services? What is a 'top-down' IPS sensor search? Is a 'self-defending network' possible? Best practices for purchasing an intrusion detection device VeriSign, AirMagnet team up for wireless IPS Sourcefire, Nmap deal to open vulnerability scanning Interop: Vendors update software, demonstrate new security features McAfee launches IPS for 10g networks, but is IT ready? Network Intrusion Prevention (IPS) Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Diffie-Hellman key exchange  (SearchSecurity.com) intrusion prevention  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.