JOHANNESBURG (03/18/2004) - Network Associates Inc.'s (NAI's) McAfee Research division has announced the availability of "Anti-phishing: Best practices for institutions and consumers," a white paper that outlines phishing attacks and the best practices for minimizing their impact on both institutions and consumers.
The white paper has been developed to help enterprises and consumers learn the effects of phishing scams and how best to protect themselves from future attacks. To access the white paper, please visit http://www.networkassociates.com/us/products/mcafee/product_lit.htm.
Phishing, which is one of the latest e-mail fraud schemes to hit both enterprise users and consumers, involves an effort to get users to give up their private financial information, such as passwords, PINs, and other identifying or security information through a combination of technical means and social engineering. The techniques usually involve fraudulent e-mail and Web sites that impersonate both legitimate e-mail and Web sites. The fraudulent e-mails can be considered a malicious form of unsolicited bulk e-mail, generally known as 'spam'.
According to the January 2004, 'Phishing attack trends report,' by the Anti-phishing Working Group (APWG), phishing attacks are increasing rapidly. One hundred and seventy-six unique new phishing attacks were reported in January 2004, amounting to 5,7 new attacks per day. This is a 52 percent increase over December 2003.
Says Sacha Alton, channel manager at Network Associates: "While con artists and scammers have been around for centuries, they generally require user confidence to be successful. With phishing scams, these attacks are usually large-scale, targeting more than thousands of users on each try. By educating both businesses and consumers about the different types of phishing techniques, we can help them learn how best to minimize these types of attacks and reduce their risk of exposure."
Users should beware of these phishing scams, which usually consist of a link to a Web site as their 'call to action' or ask the recipient to download a file that could contain a malicious threat, such as a virus or Trojan. By following the best practices set forth by McAfee Research, users will be able to learn how to safeguard themselves from these sophisticated forms of attack.
Corporate best practices:
- Establish corporate policies and communicate them to end-users: Create corporate policies for e-mail content so that legitimate e-mail cannot be confused with phishing. Communicate these policies to customers and follow them.
- Provide a way for the e-mail recipient to validate that the e-mail is legitimate: The recipient should be able to identify that the e-mail is from the institution, not a phisher. To do that, the sending institution must establish a policy for embedding authentication information into every e-mail that it sends to consumers.
- Stronger authentication at Web sites: If institutions did not ask end-users for sensitive information when logging onto a Web site (e.g., social security numbers or passwords), then it would be more difficult for phishers to extract such information from the user.
- Monitor the Internet for potential phishing Web sites: The phishing Web site generally appears somewhere on the Internet prior to the launch of the phishing e-mails. These sites often misappropriate corporate trademarks to appear legitimate.
- Implement good quality anti-virus, content filtering and anti-spam solutions at the Internet gateway: Gateway anti-virus scanning provides an additional layer of defense against desktop anti-virus scanning. Filter and block known phishing sites at the gateway. Gateway anti-spam filtering helps end-users to avoid unwanted spam and phishing e-mails.
Consumer best practices:
- Automatically block malicious/fraudulent e-mail: Spam detectors can help keep the consumer from ever opening the suspicious e-mail, but they are not foolproof.
- Automatically detect and delete malicious software: Spyware is often part of a phishing attack, but can be removed by many commercial programs.
- Automatically block outgoing delivery of sensitive information to malicious parties: Even if the consumer cannot visually identify the true Web site that will receive sensitive information, there are software products that can.
- Be suspicious: If you are not sure if an e-mail is legitimate, call the apparent sending institution to verify the authenticity.