Phishing continues to be one of the biggest threats to personal and network security, firmly establishing itself as the most widespread online fraud technique. One recent report indicates that 73 percent of all major U.S.-based financial institutions were victimized by phishing at some point this summer. Banks are not the only targets—research from the nonprofit Anti-Phishing Working Group indicates that general phishing attacks were higher in June of this year than at any point since 2004. Unfortunately, experts say these attacks only will increase.
Those same experts predict phishing attacks will become increasingly sophisticated. Today, these messages are carefully crafted to impersonate known and trustworthy organizations through standard emails. However, down the road the medium will change. For example, beginning in August/September 2006 attacks have come through instant messenger (IM) programs, Short Message Service (SMS) messages—also known as "text" messages—and Voice over Internet Protocol (VoIP).
Among users, phishing could lead to identity theft and fraud. In the corporate environment, on slipup could compromise an entire network.
As phishing continues to escalate, it’s important to educate your users and invest in products to keep your company’s network safe.
Primer on phishing
It’s the semblance of legitimacy that makes phishing so successful. The very word "phishing" comes from the analogy that hackers are using email to "fish" for passwords and financial data from the sea of Internet users. The practice is rooted in a theory called "social engineering," whereby hackers are quite literally trying to engineer user behavior through trickery. Among individual users, succumbing to phishing could lead to identity theft and fraud. In the corporate environment, one simple slipup could compromise an entire network, spark financial fraud, or even lead to industrial espionage.
Most traditional phishing schemes revolve around spoofed email. These messages lead users to counterfeit Web sites designed to trick them into divulging data such as credit card numbers, passwords, and other sensitive corporate information. By hijacking brand names of banks, e-tailers, and other trusted sites, phishers often convince recipients to respond. A related problem, dubbed "pharming," misdirects users to fraudulent sites or proxy servers, typically through DNS hijacking or poisoning.
Sometimes phishing even involves spyware, which downloads keyloggers to steal information directly.
What’s next?
The phishing of tomorrow makes these old-school strategies look like child’s play. SMiShing, or a phishing attack sent via SMS, attacks user cell phones. The message includes a URL which, if clicked, downloads a Trojan that could allow a Web-enabled phone to be controlled by hackers. There also have been reports of similar attacks on IM services such as Yahoo! and America Online—when users click a message about the validity of their accounts, they inadvertently download keyloggers that could track anything they type moving forward.
Perhaps the most nefarious development is "vishing," which uses VoIP instead of a misdirected link to steal information. In this form of phishing, users receive automated phone calls informing them of a problem with their credit card. The first call implores users to dial a separate number and enter their credit card information to fix the problem. The second number dials into software that can recognize telephone keystrokes. Many times vishing even plants spyware on user machines. Considering how many businesses are turning to VoIP these days, the danger has the potential to become an epidemic.
Staying safe
Still, help is available to minimize the impact of phishing on your network security. Simple products such as anti-spam and anti-spyware software are a good first defense. Second, particularly if your network hosts remote users, a clientless security product will identify keystroke loggers and block them if any exist on visiting machines. Integrity Clientless Security from Check Point Software Technologies meets this need. The product also neutralizes malicious code by delivering a Secure Workspace by encrypting connected sessions and wiping the cache of information upon users logging off.
Of course, the best defense against phishing is education. It’s important to teach users about the dangers of phishing—and the different forms phishing can take. Tell them what to look for in emails and instant messages, and to always be skeptical of notes that request them to go to an outside site. Instruct them how to respond if they suspect they are being tricked into divulging data. Create a phishing policy to formalize this strategy. Most important, remind users never to give out information that is sensitive to them personally or to the company as a whole. Phishing, like fishing, is useless if nothing bites.
Download this article