In Depth

Foiling Phishing

Companies on the front lines of the phishing wars share tactics for protecting customers and employees alike.

By Dragoon Alice

Page 6

Before you become a target, establish a cross-functional antiphishing team and develop a response plan so that you're ready to deal with any attacks. Ideally, the team should include representatives from IT, internal audit, communications, PR, marketing, Web, customer service and legal services. "If you wait until an attack hits you, it's definitely too late," advises APACS's Salmond.

First, hammer out how you'll inform customers of an attack. Post news of new phishing e-mails targeting your company on your website, reiterating that they are not from you and that you didn't and wouldn't ask for such information. "If your company is hit, the information should already be on your website, instead of responding two days later," says the FTC's Poss. If it's your first attack, you might also want to alert customers via e-mail.

Employees at all customer contact points need to know what to say and do if a customer reports a new phishing attack. Salmond recommends developing appropriate scripts for each customer contact point. If you do detect fraud on any accounts, you need to have a codified process to follow to alert affected customers and give them new account numbers and passwords.

A good response plan should also outline whom to contact at the various ISPs to get a phisher site shut down as quickly as possible. Identifying law enforcement contacts at the FBI and the Secret Service ahead of time will give you a better chance of bringing the perpetrator to justice. It's a good idea to work with both federal agencies to leverage their combined experience and contacts, advises David Remick, enterprise information security analyst at EarthLink.

Now that EarthLink has established contacts with other ISPs, it can usually shut down a U.S.-based phisher site within two days, down from the seven days it took in April 2003. Overseas sites are a different matter; those tend to take 20 to 22 days to shutter. The FBI's Curran recommends using software tools to capture links on the phisher website before it's shut down; this will let law enforcement recreate the phisher site forensically to determine how the victims' info was captured and where it was sent.5 Proactively monitor for phishers and fraud.

Phishers usually set up the fake sites that will collect responses about eight days before sending out phishing e-mails. So one way to stop them from swindling your customers is to find and shut down these "landing" sites before they launch their e-mail campaigns. You can outsource the search for phishing sites to a fraud alert service. Such services use technologies that crawl the Web looking for unauthorized uses of your logo or newly registered domains that contain your company's name, either of which might be an indication of an impending phishing attack. Some fraud alert services also launch aggressive counterattacks, such as a denial-of-service attack that keeps phishers' servers busy with ruses so that they can't accept customer information.