One way to hook a fish is to use a lure so realistic that the fish thinks it’s food. Phishing on the Web works the same way. Thieves send an email message or instant message that appears to come from a reputable company. It capitalizes on your employees’ (or customers’) trust of a respected brand by enticing them to click a link. Clicking the link may take them to an equally convincing (and equally fake) Web page or pop-up window that’s been set up to imitate the legitimate business, or they could be prompted to call a customer support number. Either way, they’re asked to divulge sensitive personal information such as Social Security numbers, bank account or credit card numbers, passwords, or personal identification numbers (PINs) that can be used to access their accounts or steal their identity.
But clicking on the link can also plant spyware that can track every keystroke and steal sensitive information as it is typed. These “keystroke loggers” can watch for visits to banking, email, and other online accounts and send passwords and account numbers to the crook.
Tip: Keep up with phishers’ tricks. For the latest phishing schemes and statistics, visit the Anti-Phishing Working Group, an association dedicated to eliminating online fraud and identity theft.
How Phishing Can Hurt Your Business
Many small-business owners believe that they don’t need to worry much about security. While it’s true that small businesses are not directly attacked as often as larger ones, they do end up as part of larger attacks, such as efforts to harvest credit card numbers. And as security tightens at larger companies, small business networks look increasingly tempting. Also, it’s not safe to assume that all attacks come from the outside. Obviously any employees who get hooked by a phisher could put their financial status and credit, even their identities, at risk. But if cyberthieves use hacker technology to gain access to company networks through an employee’s compromised computer, they could steal proprietary information such as customer and mailing lists, trade secrets, or other intellectual assets. Theft of your customers’ confidential information could have a disastrous effect on your company and could damage the trust your customers place in your company and its good name.
Avoiding a Phisher’s Hook
Given the potential for damage, it makes sense to take defensive action and do what you can to protect your company from a phishing assault. Here are four ways you can help protect your company.
1. Make sure the defenses of company computers are strong and up to date.
You wouldn’t leave your building unlocked at night; take the same kind of precautions with the security of company information. Luckily, securing your business is easier than you might think.
Lay the protective groundwork for a more secure network.
Protect your network and all the PCs on it with an Internet firewall. This is software or hardware (often integrated into the router or DSL or cable modem supplied by your ISP) that creates a protective barrier between your network and the Internet and can block potential intruders from gaining access.
Install antivirus software on all the computers on your network.
Keep your software up to date. It’s not enough to protect your system once. Phishers hope you haven’t been applying the latest security measures so they can try to exploit vulnerabilities.
Regularly download the latest antispyware and antivirus updates. Most programs can be set to scan your system automatically.
Keep Microsoft Windows and Microsoft Office current. Visit Microsoft Update to get the latest high-priority updates for Windows, Office, and other Microsoft programs.
2. Reduce your exposure to phishing.
Start by using filtering technologies to screen phishing email messages before they reach your employees. For example, if you use Outlook 2003, you automatically get the advantages of Microsoft SmartScreen Technology without any additional cost. Install a pop-up blocker such as the MSN Pop-up Guard or the one that comes with Windows XP Service Pack 2. With a pop-up blocker, your employees may never even see many of the pop-up windows that might be tied to a phishing attempt.
Tip: Internet Explorer 7 will include Microsoft Phishing Filter, a feature designed to help detect phony phishing Web sites.
3. Don’t act like a phisher.
Make sure that email messages sent to customers don’t inadvertently give the wrong message and use the methods that phishers use—for example, criminals attempt to create a sense of urgency so you’ll respond without thinking.
4. Educate your employees about phishing.
It’s often extremely difficult even for experts to distinguish between a slick scam and an authentic email message. You can learn to spot some warning signs of phishing, but the best protection is vigilance—and taking the following precautions.
Provide phishing education. To teach your employees about phishing, have them start with a test of their phishing IQ and suggest they check out how realistic a phishing scam can be. Then print the MSN brochure (PDF) How to Protect Yourself from Spam Scams for advice that includes what to do if you’ve been taken by a phisher.
Create a company policy on Internet use. Your company Internet policy should outline responsible use of the Internet. It should include information on when employees can browse the Web for personal use and should spell out what Web activity is not allowed.
Never give personal information in an email message, instant message, or pop-up window. Most businesses will not use these methods to ask for confidential information. Be wary of clicking any link in an e-mail message, instant message, or pop-up window that asks for personal information. Doing so could take you to a phony Web site where any information you provide may be sent to a scam artist.
Suggest that employees who are unsure whether an e-mail message is legitimate call the phone number listed on the company’s statement or in the phone book. To visit the Web site, type the address into the Address bar or use a Favorites bookmark.