In Depth

Foiling Phishing

Companies on the front lines of the phishing wars share tactics for protecting customers and employees alike.

By Dragoon Alice

Page 5

A target of phishers since April 2003, EarthLink also focuses its efforts on increasing customer awareness, says Linda Beck, executive vice president of operations for the ISP. In addition to creating customer education pieces, EarthLink developed its own ScamBlocker toolbar, which it offers free to anyone on its website. ScamBlocker relies on a blacklist of known phisher sites to warn users when they attempt to access a site on that list. (In fact, EarthLink shares blacklist data with eBay, which has its own antifraud toolbar.) EarthLink's education efforts and its investment in developing ScamBlocker appear to be paying off. Although it once got 40,000 calls per attack, EarthLink's call center now fields from 10,000 to 12,000 calls per phishing incident. As a result, the cost per attack has fallen from a peak of $115,000 to a little more than $40,000.

Companies can also point customers to a free browser extension known as SpoofStick, which can be downloaded at www.corestreet .com/spoofstick. SpoofStick helps users detect spoofed websites by identifying the domain name of each website visited; visiting a spoofed eBay site, for example, brings up a toolbar message along the lines of "You're on 10.19.32.4" instead of "You're on eBay.com." 3 Establish online communication protocols.

Now that phishing has become a fact of life, companies need to be careful about how they use e-mail to communicate with customers. In May, Wachovia's phones started ringing off the hook after the bank sent customers an e-mail instructing them to update their online banking user names and passwords by clicking on a link. Although the e-mail was legitimate (the bank had to migrate customers to a new system following a merger), a quarter of the recipients questioned it. Frankly, Wachovia should have known better.

As Wachovia discovered, companies need to clearly think through their customer communication protocols. For example, all e-mails and webpages should have a consistent look and feel, all e-mails should greet customers by first and last name, and a company shouldn't ask for personal or account data through

e-mail. If any time-sensitive personal information is sent through e-mail, it has to be encrypted. Although e-mail marketers may wring their hands at the prospect of not sending customers links that would take them directly to targeted offers, instructing customers to bookmark key pages or linking to special offers from the homepage would be a lot more secure.

It also makes sense to revisit what customers are allowed to do on your website. They should not be able to open a new account, sign up for a credit card or change their address online with just a password. "You can't expect a password to guard against a sophisticated attack," Gartner's Litan says. Although stronger authentication is ideal (see section 6), at a minimum companies should acknowledge every online transaction through e-mail and one other method of the customer's choosing (such as calling the phone number on record) so that customers are aware of all online activity on their accounts. And to prevent phishers from copying your online data-capture forms, don't put them on your website for all to see. Instead, require secured log-in to access e-commerce forms. 4 Create a response plan now.