Tactical Advice

10 Tips for Phishing Prevention

Here are some phishing protection tips to safeguard your company's network from attack and help your employees spot questionable requests for data.
This story appears in the March 2006 issue of BizTech Magazine.

Phishing is unlike any other malevolent threat prevalent on today’s Internet: viruses, Trojan worms, spam and spyware are mostly irritants at best and in some cases can cost you a little money. However, they are not a potential cause of immediate financial disaster the way phishing can be.

A typical phishing attack has several distinguishable aspects. Analogous to the real world, there is bait and a hook, and then there is a spoofed Web page waiting for an unsuspecting user to submit sensitive information.

The bait is usually a genuine-looking but fraudulent e-mail appearing to be from a trusted entity — a user’s bank or frequently visited auction site, for example. However, bait can also come in the form of instant messages, false advertisements on Web pages, and other forms of electronic communication. Several techniques, both psychological and technical, are used to make a user believe that the e-mail is genuine and trick him or her into doing what the sender wants, which is typically to click on a link in the e-mail or other message. This is where the hook comes into play.

Phishing e-mail almost always contains an embedded link that acts as a hook and leads victims to a phishing Web page — the raison d'être of the whole bait and hook deceit. This Web page is a near identical copy of a Web page of the trusted entity that is being impersonated, with a few crucial elements manipulated. It is generally a copy of a login page or a similar page with a Web form that elicits sensitive information. Everything looks genuine to a non-technical user; only an expert examining the source code would detect the fraud. Some advanced spoofs can also manipulate the URL shown in the address bar of the user’s browser to appear genuine.

At this point, if the user is deceived and submits the information requested on the form, it’s passed on to the counterfeiter and the phishing attack succeeds. The user has been successfully phished. There are two things a company can do to protect employees from phishing scams. The first is to make necessary changes to the IT policy to mandate key safeguards and to educate employees on how to avoid phishing attempts. The second is to implement technical mechanisms to spot and stop phishing e-mail and Web pages before they reach employees.

Employee Education on Phishing Prevention

Educating employees about the phishing phenomenon is imperative for overall protection. Employees who work remotely are becoming increasingly common, posing added risks. The possibility of remote employees’ systems being infected by keylogger or other malicious code via a phishing attack and then spreading the infection to the company network makes education critical.

Employee education should start with a simple test to evaluate awareness and knowledge of phishing. An easy way is to show employees a collection of known phishing attempts, along with genuine e-mail and Web pages, and ask them to identify the authenticity of each. The feedback from the test can be used for further training.

Then, teach employees these protective safeguards and include them in the company’s IT policy:

  • Never give out personal, financial or other sensitive information to anyone who requests it. Make sure that you’re using a secure Web site when submitting sensitive information. To make sure you’re on a secure Web server, check the URL in your browser’s address bar — it should begin with “https://” rather than the typical “http://”. Also, there should be a closed-padlock image in the browser’s status bar. To ensure that the padlock image is not fake, double click on it and examine the Web site’s security certificate.
  • Be suspicious of e-mail that requests sensitive information because most organizations stopped making such requests via e-mail long ago because this tactic is used in phishing and spoofing schemes. If an e-mail asks for sensitive information, it most likely is a phishing attempt.
  • Don’t click on links embedded in an e-mail that seems to come from a bank, financial institution or e-commerce vendor. In other words, for even a remote possibility of that e-mail being spoofed, don’t click on any links in it. Open a new browser window and manually type the site’s URL in the address bar.
  • Enter a fake password. When prompted for a password, give an incorrect one first. A legitimate site will not accept the fake, but the phishing site will.
  • Don’t fill in forms contained in e-mail that ask for sensitive information. Most responsible organizations don’t use an e-mail form for this purpose, as e-mail is not a secure medium. Submit such information only on secure Web sites.
  • Keep your browser and operating system up to date with the most current patches available. Phishing attempts exploit browser vulnerabilities to fool users and install malicious code.  Take note of this, especially if using Microsoft Internet Explorer.
  • Thoroughly check your credit card and bank account statements regularly and look for any unauthorized charges.
  • Always use updated antivirus and firewall software to protect yourself from phishing attempts that try to surreptitiously install malicious software such as keyloggers on your machine.
  • When in doubt, check. If you doubt the authenticity of a message, check directly with the institution.
  • If you think you have fallen victim to a phishing attack, notify the Federal Trade Commission (www.ftc.gov) and the Internet Crime Complaint Center (www.ic3.gov) and immediately notify your bank, credit card companies and other stakeholders.
Based in Helsinki, Finland, S.G. Masood is an anti-phishing researcher at F-Secure Corp. (www.f-secure.com)
Sign up for our e-newsletter


Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....


The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...


Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.