In Depth

Foiling Phishing

Companies on the front lines of the phishing wars share tactics for protecting customers and employees alike.

By Dragoon Alice

Page 4

"The only downside is that every mail server in the world has to get upgraded," says Jevans. "How long is that going to take?"

Fortunately, there are steps you can take to protect your company in the meantime. Here are some best practices.

1. Mind your IP addresses. Some vendors have already begun incorporating Sender ID into their products, so companies should make sure they record the IP addresses of their outbound mail servers with their ISP or domain name registrar. Companies already register their domain names and corresponding IP addresses so they can receive mail. Rounding up the IP addresses of all servers authorized to send mail on behalf of the company (including those managed by e-mail marketers and other outsourcers) is a relatively simple step that will helpat least until phishers figure out how to spoof those IP addresses as well.

Another address-related idea, from the Internet Storm Center (isc.sans.org): After gathering victims' information, many phishing sites then redirect the victim to a log-in page on the real website the phisher is spoofing. By examining Web traffic logs and looking for spikes in referrals from specific, heretofore unknown IP addresses, CSOs may be able to zero in on sites used for large-scale phishing attacks. 2 Educate customers and employees.

People who know about phishing stand a better chance of resisting the bait. "While you're waiting for the technology, the best defense is that a consumer has heard of phishing and is unlikely to respond," says Patricia Poss, an attorney with the Bureau of Consumer Protection at the Federal Trade Commission. "They're going to think twice" about replying to any e-mail or pop-up that requests personal information.

Teach internal employees how to recognize spoofed e-mail. Similarly, warn your customers about the dangers of phishing, and let them know you'll never ask for their account number, password, Social Security number or any other personal information via e-mail. Encourage them to avoid clicking on e-mail links to reach you, but instead to type your company's URL directly into a new browser window. (See "10 Tips for a Spoof-Proof Life," Page 52, for additional educational points.)

PayPal interrupts its own log-in screens periodically with a phishing warning. "Users have to click through [the warning] to get to the main screen," Miller says. A Security Center on PayPal's site includes an e-commerce safety guide, fraud protection tips for buyers and sellers, a link to let users report spoof e-mails and a prominent reminder to log in to PayPal by opening a new browser window and typing in the URL.