Network Associates' McAfee Research division has released a white paper aimed at informing people about phishing attacks and providing best practices for dealing with them.
"Anti-phishing: Best practices for institutions and consumers" [pdf] outlines phishing attacks and what it sees as the best ways for minimising their impact on both institutions and consumers.
Phishing is one of the latest e-mail schemes that attempts to get users to give up their private financial information, such as passwords, PINs, and other identifying or security information through a combination of technical means and social engineering. Fraudulent e-mails and websites impersonate legitimate counterparts to lull people into a false sense of security and then coax or demand details from individuals.
According to a recent report [pdf] by the Anti-phishing Working Group, phishing is becoming a greater problem as well. In January this year, there were 176 unique attacks - nearly six a day and an increase of 52 per cent on the previous month.
Sacha Alton, channel manager at Network Associates, said: "While con artists and scammers have been around for centuries, they generally require user confidence to be successful. With phishing scams, these attacks are usually large-scale, targeting more than thousands of users on each try. By educating both businesses and consumers about the different types of phishing techniques, we can help them learn how best to minimize these types of attacks and reduce their risk of exposure."
The report outlines a series of best practices for both companies and individuals. For companies these are:
- Establish corporate policies and communicate them to end-users: Create corporate policies for e-mail content so legitimate e-mail cannot be confused with phishing. Communicate these policies to customers and follow them.
- Provide a way for the e-mail recipient to validate that the e-mail is legitimate: The recipient should be able to identify that the e-mail is from the institution, not a phisher. To do that, the sending institution must establish a policy for embedding authentication information into every e-mail that it sends to consumers.
- Stronger authentication at websites: If institutions did not ask end-users for sensitive information when logging onto a Web site (e.g. social security numbers or passwords), then it would be more difficult for phishers to extract such information from the user.
- Monitor the Internet for potential phishing sites: The phishing website generally appears somewhere on the Internet prior to the launch of the phishing e-mails. These sites often misappropriate corporate trademarks to appear legitimate.
- Implement good quality anti-virus, content filtering and anti-spam solutions at the Internet gateway: Gateway anti-virus scanning provides an additional layer of defense against desktop anti-virus scanning. Filter and block known phishing sites at the gateway. Gateway anti-spam filtering helps end-users to avoid unwanted spam and phishing e-mails.
For consumers, McAfee suggests the following approach:
- Automatically block malicious/fraudulent e-mail: Spam detectors can help keep the consumer from ever opening the suspicious e-mail, but they are not foolproof.
- Automatically detect and delete malicious software: Spyware is often part of a phishing attack, but can be removed by many commercial programs.
- Automatically block outgoing delivery of sensitive information to malicious parties: Even if the consumer cannot visually identify the true Web site that will receive sensitive information, there are software products that can.
- Be suspicious: If you are not sure if an e-mail is legitimate, call the apparent sending institution to verify the authenticity.