Once a phishing attack occurs, the goal for the organization is to get the phishing site shut down as quickly as possible. This limits the window of opportunity in which the phisher can collect personal information. With any phishing attack, organizations should take three steps (or hire a firm to take these steps for them).
Step 1) Gather basic information about the attack. This should include screen shots of the website plus the URL.
Step 2) Contact the ISP (or whoever is hosting the website). Explain the situation and ask that the site be shut down. Many phishing sites are launched on hacked computers, so in a best-case scenario, taking down the site is simply a matter of contacting a website's owners, pointing them to the URL of the webpage, and asking them to remove the offending content (and patch their web servers).
Step 3) Contact law enforcement. Although this is an important step, be warned that it isn't necessarily the most effective way to get the site shut down quickly. The FBI and Secret Service are more concerned with patterns and big busts than individual ones, and until a customer has fallen for a scam and suffered damages, there may have been no law broken. Nevertheless, agents may be able to intervene on your behalf—and who knows, your case may be part of the bigger picture investigation needed to shut down a given fraudster. (This has happened. In May 2005, a 20-year-old Texas man was sentenced to almost four years in prison for phishing.)
By establishing a relationship with law enforcement, you'll come to understand when agents want information about what kinds of attacks. For instance, the bank in the aforementioned CSOcase study gets a compact disc from its vendor with information about each phish, and a copy of that CD is then passed on to the FBI, which looks for patterns or anomalies in the attacks.
Does all this sound like too much for your company? Then pay someone else to do it for you. The marketplace is brimming right now with companies that will do the dirty work.
Responders at a good service provider will have expertise in working their way up the network stream seeking someone who can and will shut down the site. They try to work with the ISP or Web hosting company, and then if necessary contact the domain name registrar that's directing the URL to a given IP address. They'll send e-mails and faxes; they'll make phone calls. If necessary, they'll send notices threatening legal action. Often, when the site is hosted outside the United States, they'll seek help from local groups of first responders organized by CERT/CC at Carnegie Mellon. The end result? The phishing website might be up for hours instead of days.
Sign up for CIO Asia eNewsletters.