E-mail policies -- A defense against phishing attacks

In this excerpt of Chapter 6 from "Phishing: Cutting the Identity Theft Line," authors Rachael Lininger and Russell Dean Vines explain how e-mail policies help protect companies from phishing attacks.

Phishing: Cutting the Identity Theft Line
By Rachael Lininger and Russell Dean Vines                          334 pages; $29.99                     John Wiley & Sons

In this excerpt of Chapter 6 from Phishing: Cutting the Identity Theft Line, authors Rachael Lininger and Russell Dean Vines explain how e-mail policies help protect companies from phishing attacks.


Interacting with customers

Not surprisingly, the first line of defense in the phish fight is the customer. Creating easily understandable standards for customer communications can go a long way in preventing a phishing attack and recovering quickly from one.


E-mail is currently the largest attack vector for phishing malware and ID theft exploits. This may change, as Web sites increasingly begin to employ advanced scripting techniques and automated functions; but e-mail is still the hands down winner.

You can take a number of steps to protect your business from fraudulent e-mail, including the following:

  • Standardizing your communications with the customer
  • Implementing e-mail authentication

The following sections discuss these topics in more detail.

Information Security Bookshelf

Read Chapter 6, Helping Your Organization Avoid Phishing

Sound Off on this book excerpt

More book chapters and reviews

Learn more about e-mail security in E-mail Security School

Standard customer communication policy

Even if you're not a financial institution, as an ISP or Internet company you should have a customer e-mail policy. Policy is one of those terms that can mean several things. For example, there are security policies on firewalls, which refer to the access control and routing list information. Standards, procedures and guidelines are also referred to as policies in the larger sense of a global information security policy. For example, a policy can provide protection from liability due to an employee's actions, or it can control access to trade secrets.

Companies need many types of policies, standards, guidelines and procedures. But what I'm talking about here is creating a standard for e-mails from the company to the customer, which doesn't use the types of phish hooks you see in a phishing e-mail. A standard customer communications policy should convey a consistent message and not confuse your customer.

Here are some basic customer e-mail policy standards:

  • Don't send e-mail in HTML format.
  • Don't send attachments.
  • Don't include or ask for personal information.
  • Use the full name of the user.
  • Don't include hyperlinks.
  • Use localized messages.

Read Chapter 6, Helping Your Organization Avoid Phishing.

This was last published in May 2005

Dig Deeper on Email and Messaging Threats-Information Security Threats

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Sure, email standards make sense, and it make sense to come up with a consistent format for communication with your company's clients. But what about the client's communications to you? You can ask them to follow a certain standard, but a lot of them aren't going to do it, at least not consistently. Getting our clients to actually do stuff right is a very common problem that our account managers deal with every day.
Good policies, certainly fine internally, but not enforceable in the real (outside) world. While my associate and I may behave, our clients won't. And it's not my associates who are liable to SPAM me.

Working in a visual world, much of our work depends on formatting. I can easily send test messages in-house, but clients will insist on looking their best at all times and that means well-formatted documents. How could I stop them, when I need to see what they're sending as they send it?

Or work is often launched based on attachments and started by checking hyperlinks. Yes, we could readily pick up files online, but not so easy for new clients who are more wary of the cloud than their own email. In our world, "For further information, look at http://...." is a standard line in virtually all of our communications.

The best we can do is by wary. We check. When emails seems suspicious or arrive unsolicited, a simple phone verification works. Time consuming, but often a new way to say hello to the client anyway.