When asked how best to combat phishing, experts are quick to cite user education. “It’s easy to dismiss user education as an exercise in futility, but we hear only about the failures,” says security consultant Robert Ferrell.
Click for larger view.
The consensus is that warning about the evils of phishing won’t be enough. Security experts are urging businesses not to include clickable URLs in e-mail sent to customers.
“Adopt a policy of no embedded links, and make certain your customers are aware of this policy,” Ferrell says. “Bottom line: Let users come to you. Tell them where you are, but don’t send a car to pick them up."
Many companies are doing just that by corresponding through private message centers. eBay provides all users an inbox called My Messages housed on the company’s Web site. This is successful if customers tend to revisit your site often and you don’t stuff their message centers with unsolicited offers.
EarthLink and Comcast clearly spell out in customer e-mail — as well as on their sites — the types of information their technical support or accounting representatives will ask for, and they specify the channels through which such requests will be made. For example, EarthLink representatives may ask users for the last four digits of their Social Security number over the telephone or online before launching a live tech-support session — but never by e-mail.
For the long term, enterprises will need to agree on and deploy a universal, foolproof, easy way to authenticate legitimate e-mail. A trusted sender certificate that works with S/MIME, which is supported by most e-mail programs, could help to assure recipients that the e-mail they receive is legitimate and validated by an independent certificate authority.
But eventually Phishers are likely to find a way to hack the S/MIME certificate mechanism, just as they’ve managed to spoof other security certificates and the once-sacred padlock icon. According to experts, the ultimate answer to phishing is a global authentication standard that verifies that an e-mail has indeed been sent from its stated domain. They recommend that this e-mail “caller ID” be combined with strong authentication tools that integrate with Web browsers and alert users when they land on a spoofed Web site.
Meanwhile, IT should monitor attempts to register domain names that resemble legitimate corporate URLs. A common phishing trick involves setting up domains such as “paypaI.com.” (Look at that URL closely. Did you spot the spoof? If not, the lowercase L is actually an uppercase i.) Cyveillance is one company that will monitor attempts to register domain names that are too close for comfort.