Security Consulting

Anti-phishing techniques through communications

A company that provides online services should implement intelligent anti-phishing techniques through their website and email communications. The company should have internal standards and inform you about exactly how they do business and communicate online. The company should also continue to educate you about online safety and take an active role in protecting you from Internet fraud.

Improve Customer Communication
A company should provide information about how it communicates with you and keeps your information safe. For instance, a posting similar to the following will help you identify phishing emails sent in the companies name. "MyBank will never initiate a request for sensitive information from you via email (i.e., Social Security Number, Personal ID, Password, PIN or account number). If you receive an email that requests this type of sensitive information, you should be suspicious of it. We strongly suggest that you do not share your Personal ID, Password, PIN or account number with anyone, under any circumstances. If you suspect that you have received a fraudulent email, or wish to validate an official email from MyBank, please visit our anti-phishing page”

An organization should take these steps when communicating with you online
Remind you repeatedly. This can be achieved with small notifications on critical login pages about how the organization communicates with their customers. Customers reaching the page should be prompted to think about the legitimacy of the email (or other communication) that drove them to the page.

Provide a reporting resource
An organization should have an easy method for you to report phishing scams, or other possible fraudulent emails sent in the organizations name. This can be achieved by providing clear links on key authentication and help pages that enable you to report a possible phishing scam – and also provide advice on recognizing a scam. Importantly, the organization must invest in sufficient resources to review these submissions and be capable of working with law enforcement agencies and ISP’s to stop an attack in progress.

Verify Website
An organization should provide advice on how to verify the integrity of the website you are using. This can include verifying a Secure Certificate, knowing what Web site URLs the company uses, etc.

Establish corporate communication policies and enforce them
An organization must create corporate policies for email content so that legitimate emails cannot be confused with phishing attacks. Ensure that the departments likely to communicate with customers clearly understand the policy and take steps to enforce them (e.g. perimeter content checking systems, review by QA teams, etc.) To be effective, organizations must ensure that they are sending a clear, concise and consistent message to their customers.

Fast response
A company must act quickly when internet fraud scams strike. It is important to understand a real threat and exactly how an organization is working to protect you against attack.

Validate Official Communications
Steps can be taken by an organization to help secure customer communications and identify potential phishing attacks. There are a number of techniques an organization can implement to safeguard communications by using basic techniques that are appropriate to everyone's technical ability.

Web Site Names and Linking Conventions
A growing number of phishing attacks make use of the confusion caused by organizations using complex naming of host services (e.g. fully qualified domain names) and undecipherable URL’s.  Most customers are non-technical and are easily overwhelmed with the long and complex information presented in “follow this link” URLs. A simplified naming convention makes it much easier for you to spot fraudulent links and understand their site destination. Organizations can explain quite simply how their naming convention functions, and provide valuable advice on identifying and reporting malicious links.