Protect your business from phishing scams

Ken Doyle

Often, the request is accompanied by a statement that the account has been suspended or will be closed if the information is not provided. It's called "phishing," and this variety of online scam recorded an average monthly growth rate of 24 percent from July through December 2004, according to the Anti-Phishing Working Group (www.antiphishing.org).

While home users have been the primary victims of phishing attacks, recent trends show that businesses are also facing significant threats on two fronts: n First, individuals in any company may be lured into disclosing sensitive corporate information in addition to financial information, such as user accounts, passwords or other information that could provide a "back door" into the corporate network.

n Second, many corporate Web sites may be compromised as a result of more sophisticated phishing attacks.

In February, an e-mail that claimed to come from Microsoft asked users to confirm the legitimacy of their Windows XP installation by connecting to a Microsoft site and entering a credit card number. However, unlike many other attacks that merely sought to gain financial information, the phishing site in this particular exploit installed spyware on the user's computer, thus compromising it further.

Other e-mails do away with the pretense altogether and simply act as carriers for spyware that can monitor keystrokes and screens on the victim's computer, periodically reporting this information back to the phisher.

The best steps to minimize this type of threat are ones that any business should have in place as part of their security system: effective firewalls, server-based spam filtering, antivirus software, and spyware detection and prevention tools.

Education of employees can also help to combat individual attacks.

The Federal Trade Commission also publishes a useful overview of steps to avoid becoming a victim of phishing attacks (www.ftc.gov/bcp/conline/ pubs/alerts/phishingalrt.htm).

A good defense against the second type of threat to businesses is more difficult to achieve. While traditional phishing attacks have generally targeted high-profile corporate Web sites (with banks and other financial institutions topping the list), it's becoming evident that many other companies, big and small, should be vigilant.

Savvier phishers are now employing "cross-site scripting" to send victims to legitimate Web sites, then popping up a window or displaying a frame over the original Web page, asking for login information. Since this technique does not install any server-side components, your company may be completely unaware that it has been targeted until a victim files a report or complaint.

A first step in the defense against such exploits should involve a complete security review of any Web site that uses dynamic pages, and the use of scripting to block popups or frames.

The bottom line: Take a good look at your corporate technology security measures and make sure to stay up-to-date on the latest exploits.

Employees should remember that no self-respecting company will ever ask for sensitive information by email.

If you're in doubt, always call the company in question first. It's a low-tech approach, but it works.

madison.com ©2009 Capital Newspapers. All rights reserved.