Most IT professionals spend little time worrying about phishing, regarding it not as a threat to their organizations but rather as a consumer-centered issue.
After all, these fraudulent emails typically seek an individual’s personal or financial information, so unless you’re in charge of IT security for a bank, a credit card company, eBay, or PayPal, chances are you haven’t seen phishing directly impact your organization.
Besides, Postini, a provider of email security and management, reported that phishing attacks decreased in April. The company says that it protected its customers from over 9 million phishing messages in April, which is down 45% from March.
While this may give CIOs some comfort, it’s a false sense of comfort, according to Andrew Lochart, Postini’s senior director of marketing. He noted that due to the unpredictability of spammers and phishers, month-to-month variations are normal, and enterprises should expect these problems to get worse.
According to Joan Lockhart, vice president of marketing for GeoTrust, a provider of e-business identity verification solutions, ignoring phishing could come back to haunt you.
“There is no one organization that takes responsibility for this problem, instead leaving it up to consumers to protect themselves,” Lockhart said. “Internet attacks invariably evolve, and as phishing becomes more sophisticated, I wouldn’t be surprised to see it move from consumers to a platform for assaults on businesses.”
To help combat this problem, GeoTrust has released a free browser plug-in, a toolbar that shows information about the Web sites a user visits. It shows details such as the site’s real address, whether on not the website has been verified by a trusted third party, and if it’s on a blacklist.
Aside from eroding brands (can you ever trust an email from eBay again?), Lockhart believes that phishers will eventually use an individual’s personal information to penetrate corporations.
After all, the same sorts of fraudulent emails could be used to solicit corporate user IDs and passwords.
Ferris Research, a San Francisco analyst firm that specializes in email, messaging, and collaboration, believes that it is in a company’s best interest to fight phishing, whether or not the phish pose a direct threat to the organization.
“Let’s pretend you’re a CIO,” said Richi Jennings, lead analyst in Ferris’ spam and boundary services practice. “You need to worry about phishing from two main perspectives: First, the damage to your brand if consumers get defrauded by criminals pretending to be you. This is not just an issue for banks, but for any organization that has an online presence, especially if you’re involved in e-commerce.
“Secondly, what if your employees get phished? Criminals may use phishing techniques to fool your employees into providing access to your internal systems.”
Jennings pointed to recent attacks against ChoicePoint and Lexis-Nexus, and while these weren’t phishing attacks, they are essentially serve as case studies for how phishers could start using their techniques to penetrate corporations.
Similarly, a recent worm has been hitting many corporate email accounts, and the attack uses phishing techniques to entice users into opening the infected email attachment.
The W32.Mytob.CH@mm worm, which is used to generate spam, appears at first glance to be a legitimate email. The sender line is spoofed, so the message appears to be coming from a user’s system administrator, and subject lines like “Your Email Account is Suspended For Security Reasons” or “Email Account Suspension” create a sense of alarm that convinces many users to click without thinking.
In reality, this attack, much like ILOVEYOU, blends phishing and virus techniques. The social engineering involved in tricking people into opening emails is what both phishing and attacks like W32.Mytob rely on.
What’s different with W32.Mytob is that it often appears to be delivered from your company’s system administrator. The worm is blocked by most anti-virus products, but it points to the increased threat to the enterprise when phishing techniques combine with other e-threats.
Show Me the Money
“Like spammers, phishers follow the money,” said Anne Bonaparte, president and CEO of MailFrontier, a provider of email security products. “We’ve seen phish that directly target payroll systems. They first do directory harvest attacks to determine valid email accounts and then design their phish to target those users, with the hope that they’ll be able to penetrate payroll systems.”
While both MailFrontier and Postini offer email security, with solutions that combat phish at the email-gateway level, MailFrontier also advises its customers on the importance of educating users so they able to determine what is legitimate email and what is not.
To promote phishing awareness, MailFrontier offers a phishing IQ test, which attempts to show users the differences between legitimate and suspect emails.
To protect your organization from phishing attacks, MailFrontier advocates a three-step approach, which starts with user education. Next, companies should apply technical solutions, such as email gateway security and browser plug-ins, and, finally, companies need to police their own outgoing emails, instituting safe email policies.
“Often the problem is the company itself,” Bonaparte said. “If you interact with customers via email, screen how you do that or you risk being phished. If you have poorly written emails or emails that request personal information, these will likely be spoofed.”