Beware Phishing Emails

Written on the 1st of May 2008 by Scott Jones -IT Leaders-

What is Phishing?

Phishing (derived from "fishing") is an electronic attempt to obtain information of value from people fraudulently.  It often takes the form of emails that appear to be from legitimate sources (For example your bank, ebay, Google Adwords) and attempt to trick the receiver into visiting a website and entering some personal information such as lging information, credit mard numbers or pin numbers.

How Common is Phishing?

 In the past six months IT secutity experts Trend Micro's content filtering group examined over 6.5 million samples of spam, and discovered that between 3 and 8 per cent of them were related to phishing or other attempts at crimeware. That's one phishing attempt for every thirteen spam mails received!

What can organizations and individual users do to protect themselves against phishing attacks?

"Businesses and end users who adopt phishing protection best practices can realize numerous benefits,"

according to Dave Rand, chief technology officer of Internet Content Security at Trend Micro.

"Following such practices can reduce exposure to fraudulent e-mails and Web sites, and avoid financial losses. Businesses employing these best practices can also help increase their overall customer confidence, avoid litigation, protect their brand reputations, and avoid damage to costly IT systems. Consumers can defend their personal and financial reputations, which can be seriously damaged as a consequence of identity theft."

"The existence of underground phishing ecosystems and the large financial profits gained through botnets have transformed phishing into a worldwide organized crime undertaking," explained Rand. "Profits for phishing cyber criminals have ranged from tens of thousands to millions of dollars. On their side, businesses and consumers are greatly affected by significant financial losses and other short- and long-term damage to their overall financial health, brand, and reputation."

Businesses and consumers can protect themselves from the devastating effects of phishing due to botnet activities in two ways: educating themselves about phishing techniques and employing technology solutions that combat phishing. The following checklist is a general best practice prescription for guarding against malicious threats:

Businesses  & Consumers Should:

1. Always install, update, and maintain firewalls and intrusion detection software, including those that provide malware/spyware security

2. Get at least an annual Security Audit of your network.

3. Ensure you have the latest version of your Web browser, and install security patches when they're available.

4. Practice awareness when receiving e-mails that ask for your account details; it's easy to call and confirm before sending anything.

5. Only open e-mail attachments from trusted parties.

6. Never click on links in suspicious e-mails.

7. Report suspicious e-mails to appropriate authorities, such as the Anti-Phishing Working Group or the Trend Micro Anti-Fraud Unit (antifraud@support.trendmicro.com).

8. Regularly read the latest news and information regarding phishing. (A good resource is Trend Micro's Phishing Encyclopedia.)

Business users should also have their IT Provider:

1. Monitor logs from firewalls, intrusion detection systems, DNS servers, and proxy servers on a daily basis for signs of infection.

2. Establish rigorous password policies for clients, servers, and routers - and enforce them.

3. Ensure that only approved devices may connect to the organization's network.

In terms of specific technologies, businesses and consumers alike should look for layered solutions that protect against both sending-that is, becoming an unwitting accomplice to propagating spam-and receiving phishing emails. From a business perspective especially, layered solutions should also offer content protection at the client side, or end points, and at the network gateway - as well as monitor network behavior. This ensures against "rogue" devices such as laptops and notebooks-which are not always under administrators' control and may not have adequate or updated threat protection installed-infecting the entire network.

The following technology-related solutions are available to help combat phishing:

- On the client side or endpoint, implement a personal firewall and anti-virus solution to prevent sending of phishing emails and firewall, anti-virus solution as well as anti-phishing enabled browsers or toolbars to prevent receiving phishing emails.

- On the network, include a intrusion detection system/intrusion protection system (IDS/IPS) and network content protection to prevent both sending and receiving phishing emails.
- At the network gateway, implement a firewall, gateway anti-spam and gateway anti-virus to prevent sending and a domain reputation solution to prevent receiving phishing emails.

"Businesses and consumers who adopt a best practices policy will not only reduce their exposure to fraud and identity theft, they will also help in the fight against the serious and ongoing threat of phishing," said Rand.