a) Monitor for fraudulent domain name registrations.
Phishers often set up the fake sites several days before sending out phishing e-mails. One way to stop them from swindling your customers is to find and shut down these phishing sites before phishers launch their e-mail campaigns. You can outsource the search to a fraud alert service. These services use technologies that scour the Web looking for unauthorized uses of your logo or newly registered domains that contain your company's name, either of which might be an indication of an impending phishing attack. This will give your company time to counteract the strike.
b) Set up a central inbox. To do this, organizations typically set up one e-mail address where all suspected phishing e-mails are directed, with an address such as firstname.lastname@example.org or email@example.com. Ideally, this central inbox should be monitored 24/7.
The easiest and most effective way to find out if your organization is being targeted by phishers is simply by giving the general public a way to report phishing attacks. "It's your customers and noncustomers who are going to be the ones that tell you that the phish is out there," said one security manager interviewed for a case study published in
c) Watch your Web traffic. Internet Storm Center recommends that by examining web traffic logs and looking for spikes in referrals from specific, heretofore unknown IP addresses, CSOs may be able to zero in on sites used for large-scale phishing attacks.
After gathering victims' information, many phishing sites then redirect the victim to a log-in page on the real website the phisher is spoofing.
How can we help our customers avoid falling for phishing?
People who know about phishing stand a better chance of resisting the bait. "The best defense is that a consumer has heard of phishing and is unlikely to respond," says Patricia Poss, an attorney with the Bureau of Consumer Protection at the Federal Trade Commission. People must be trained to think twice about replying to any e-mail or pop-up that requests personal information.
Teach employees how to recognize spoofed e-mail. Similarly, warn your customers about the dangers of phishing, and let them know you'll never ask for their account number, password, Social Security number or any other personal information via e-mail. Train them to avoid clicking on e-mail links to reach you and instead to type your company's URL directly into a new browser window.
However, there's only so much that customer education can do. The onus is also on the organization to limit the damage by shutting down the phishing site.
If an attack does happen, how should we respond?
Sign up for CIO Asia eNewsletters.