As defined by Wikipedia, phishing is a form of social engineering in which spies use a collection of techniques to manipulate people into releasing information (such as passwords) or performing actions that compromise confidential data, such as clicking on a link that enables someone else to remotely control a machine. In fact, the SANS Institute identifies phishing as one of the biggest Internet security risks.
For example, a spy might call the help desk from a pay-as-you-go mobile phone, claim to be working at home and request that a new username and password be sent as a text message to his phone. And some spies employ what the SANS Institute calls "spear phishing," in which they send individual employees highly targeted e-mail messages that include specific information designed to make the messages look genuine. For instance, a request for usernames and passwords might appear to be from the head of human resources.
How to stop them: Wood suggests training staffers to be cautious and giving them tips on how to detect social engineering. For instance, he says, they should withhold information when callers act rushed, drop names, use intimidation, ask odd questions, or request forbidden information. There should also be clear policies as to how to report an incident and to whom.
The SANS Institute says it's important to continually raise employee awareness of these techniques, perhaps through drills that involve mock phishing attempts. Companies should also avoid exposing too much information on public Web sites, including logos and employee e-mail addresses.
Computerworld is an InfoWorld affiliate.