Phishing is unlike any other malevolent threat prevalent on today’s Internet: viruses, Trojan worms, spam and spyware are mostly irritants at best and in some cases can cost you a little money. However, they are not a potential cause of immediate financial disaster the way phishing can be.
A typical phishing attack has several distinguishable aspects. Analogous to the real world, there is bait and a hook, and then there is a spoofed Web page waiting for an unsuspecting user to submit sensitive information.
The bait is usually a genuine-looking but fraudulent e-mail appearing to be from a trusted entity — a user’s bank or frequently visited auction site, for example. However, bait can also come in the form of instant messages, false advertisements on Web pages, and other forms of electronic communication. Several techniques, both psychological and technical, are used to make a user believe that the e-mail is genuine and trick him or her into doing what the sender wants, which is typically to click on a link in the e-mail or other message. This is where the hook comes into play.
Phishing e-mail almost always contains an embedded link that acts as a hook and leads victims to a phishing Web page — the raison d'être of the whole bait and hook deceit. This Web page is a near identical copy of a Web page of the trusted entity that is being impersonated, with a few crucial elements manipulated. It is generally a copy of a login page or a similar page with a Web form that elicits sensitive information. Everything looks genuine to a non-technical user; only an expert examining the source code would detect the fraud. Some advanced spoofs can also manipulate the URL shown in the address bar of the user’s browser to appear genuine.
At this point, if the user is deceived and submits the information requested on the form, it’s passed on to the counterfeiter and the phishing attack succeeds. The user has been successfully phished. There are two things a company can do to protect employees from phishing scams. The first is to make necessary changes to the IT policy to mandate key safeguards and to educate employees on how to avoid phishing attempts. The second is to implement technical mechanisms to spot and stop phishing e-mail and Web pages before they reach employees.
Educating employees about the phishing phenomenon is imperative for overall protection. Employees who work remotely are becoming increasingly common, posing added risks. The possibility of remote employees’ systems being infected by keylogger or other malicious code via a phishing attack and then spreading the infection to the company network makes education critical.
Employee education should start with a simple test to evaluate awareness and knowledge of phishing. An easy way is to show employees a collection of known phishing attempts, along with genuine e-mail and Web pages, and ask them to identify the authenticity of each. The feedback from the test can be used for further training.
Then, teach employees these protective safeguards and include them in the company’s IT policy: