TRUSTe White Paper - How Not To Look Like a Phish
Upcoming SlideShare
Loading in...5
×
 

TRUSTe White Paper - How Not To Look Like a Phish

on

  • 1,468 views

Phishing is the criminal act of posing as a legitimate business via digital communications to extract information such as social security numbers, credit card numbers and banking account numbers. ...

Phishing is the criminal act of posing as a legitimate business via digital communications to extract information such as social security numbers, credit card numbers and banking account numbers. Businesses absorb more than 90 percent of phishing attack costs as consumers lose faith in Internet-based communication. TRUSTe, the leading online privacy organization, and Ernst & Young, a global leader in professional services, provide guidelines and examples to help businesses maintain safer, reassuring digital communications with customers to minimize the risks associated with phishing attacks. Businesses have a role to play in rebuilding the public’s trust in online communication channels through best practices including eliminating pop-ups, instant message and e-mail as tools for collecting information and removing cross-site scripting from a company’s Web site

Statistics

Views

Total Views
1,468
Views on SlideShare
1,468
Embed Views
0

Actions

Likes
0
Downloads
10
Comments
1

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • free free download this latest version 100% working.
    download link- http://gg.gg/hqcf
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

TRUSTe White Paper - How Not To Look Like a Phish TRUSTe White Paper - How Not To Look Like a Phish Document Transcript

  • April 11, 2005 www.truste.org How Not to Look Like a Phish Tips to Help Your Organization Minimize False Positives Summary Phishing is the criminal act of posing as a legitimate business via digital communications to extract information such as social security numbers, credit card numbers and banking account numbers. Businesses absorb more than 90 percent of phishing attack costs as consumers lose faith in Internet-based communication. TRUSTe, the leading online privacy non- profit organization, and Ernst & Young, a global leader in professional services, provide guidelines and examples to help businesses maintain safer, reassuring digital communications with customers to minimize the risks associated with phishing attacks. Businesses have a role to play in rebuilding the public’s trust in online communication channels through best practices including eliminating pop-ups, instant message and e-mail as tools for collecting information and removing cross-site scripting from a company’s Web site.
  • Whitepaper – How Not to Look Like a Phish www.truste.org How Not to Look Like a Phish Tips to Help Your Organization Minimize False Positives THE PHISHING EPIDEMIC businesses absorbed a whopping $48 information to both avoid and report IS WORSENING billion of the cost. This number, while phishing attempts, but what informa- Phishing is an online identity theft significant, fails to account for the tion is available to organizations? technique used to lure consumers impact that customer dissatisfaction, into disclosing their personally identi- a loss of brand equity, and wasted PROTECT YOUR BRAND AND fiable information including Social resources have on organizations TAKE CONTROL Security numbers (SSN), account which are most negatively affected The threat of phishing and identity names and passwords, and credit card by phishing incidents. theft is widespread and the grim information. Oftentimes customers reality is that this problem affects all are sent emails, pop-ups, and instant The phishing epidemic is worsening. organizations. Organizations may feel messages that mimic legitimate cor- Con artists and thieves are becoming helpless that their brands are being porate communications. These com- more cunning in the way they con- hijacked and the problem is beyond munications prompt the user to visit struct emails and are discovering new their control. However, there are certain fraudulent websites created to gather techniques to carry out their schemes. measures organizations can take to their personal information. Financial Consumers are being fed information control a potential phishing problem. institutions, ISPs, and online retailers from the government, industry work- As organizations become more familiar are most susceptible to having their ing groups, individual organizations, with the techniques of phishers, it is brand spoofed in phishing attempts. and the media about the dangers of important that they adopt new tech- In fact, the most trusted brands are phishing attempts. As a result, online nologies and evaluate their current often the most susceptible to being consumers are growing more skeptical technologies. It is equally important hijacked. In the end, consumers are about email and want to see action that organizations effectively commu- lured in by these seemingly legitimate taken to combat this problem. nicate the dangers of phishing with communications into providing sensi- staff, within the industry, and with CONSUMERS WANT ACTION consumers. tive information, often resulting in According to an online consumer credit card fraud, identify theft, and study conducted by TRUSTe and the TRUSTe and Ernst & Young have even financial loss. Ponemon Institute, 64% of respon- created the following recommenda- Consumers are not the only stake- dents believe it is unacceptable for tions to help guide behavior in an holders affected by phishing and organizations to do nothing about organization’s communications and identity theft. While consumers bear spoofing and phishing and 76% say websites in order to minimize false large emotional costs as victims of organizations should be required to positives and build consumer confi- identity theft, businesses bear signifi- educate their customers. Industry dence. In the end, this guide will cant financial burdens. The FTC anti-phishing groups are surfacing help you avoid looking like a phish. reported in 2003, that identity theft and legislation is being crafted to cost Americans approximately $53 combat online fraud. But how are billion dollars the year before. It was organizations preparing to protect estimated that consumers absorbed themselves and their resources? $5 billion of the cost, whereas Consumers are being armed with 1
  • Whitepaper – How Not to Look Like a Phish www.truste.org Technology TIP R AT I O N A L E : W H AT A P H I S H L O O K S L I K E MESSAGE REASONING EXAMPLE Don’t get your customers in the habit If customers are not used to responding You have sent a customer a package of responding to messages in ways that to messages from your organization by and their shipping information is they are receiving phishing messages. email, pop up, or instant message, they incorrect. The information needs to are more likely to be skeptical of be updated immediately so that the spoofed communications. package is delivered on time and to the correct location. Instead of sending an email or instant message requesting the user to reply Don’t request personal information If customers are not used to providing with his/her personal information, get from customers directly from an email personal information via email, pop up, customers in the habit of going directly hyperlink. or instant message, they are less likely to your website. to provide personal information to spoofed communications. Never send emails asking customers to supply, verify, or update personal or account inform a t i o n . Especially stay away from requests pertaining to passwords, SSN’s, PIN’s, and account numbers. DELIVERY REASONING EXAMPLE Don’t use “click here” hyperlinks. Obscure “click here” hyperlinks are Direct customers to your website: common in spoofed messages. No www.yourcompany.com hyperlinks should be distributed to the customer since the hyperlinked text versus can appear different than the link the Providing a link to click: user is taken to after clicking the link. click here Get your customers in the habit of clicking on the visible URL or going to your website directly. Do personalize email when possible. You know your customers’ names. Use Use: them. Sending emails with personalized Dear James, or Dear James Smith information helps users identify versus legitimate versus spoofed email. Dear Sir or Madam, or Greetings More personalized communications will allow consumers to recognize you as a legitimate sender. 2
  • Whitepaper – How Not to Look Like a Phish www.truste.org Technology ‘cont TIP R AT I O N A L E : W H AT A P H I S H L O O K S L I K E DELIVERY ‘CONT REASONING EXAMPLE Don’t link to third party sites from Don’t let your customers get in the Instead of using third-party or proxy your email messages. habit of clicking through to someone links like: else’s domain to do business with you. http://www.deliveryspecialist.com?redi- Use your own domain whenever rect=www.yourdomain.com possible. Pay special attention to the Use links directly to your domain. URLs used by your email vendors on your behalf. Don’t redirect from the URL Phishers use redirects to make it seem provided to another domain. that links click through to legitimate websites. If you need to track the performance of an email campaign, try to use other techniques so consumers see clear URLs. Don’t use long URLs or Many spoofed emails use long, Avoid links like: complex links. complex links and URLs. Clean http://www.yourdomain.com?fr=453&s links are ideal. pid=FD234&h=2 Keep links simple. Track reference information using cookies, or with simple reference codes: http://www.yourdomain.com?ref=325281 WEBSITES REASONING EXAMPLE Do use clean and crisp domain naming Complex domain names and website Use: strategies. URLs only confuse. Use clear naming www.yourcompany.com/freepromtion.com for domains and websites. versus www.x3429yourcomany.com/1jdif/pro- motion Do get customers used to entering Customers in the habit of going to You are offering a special promotion your site through the home page on strangely named web sites are more with ABC company and want cus- your main domain before going to likely to fall for spoofed sites. Foster tomers to go to the ABC website. special or uniquely-named domains. safe habits with your use of domain www.abc.com and site names. Instead of directing customers to ABC company’s website, direct them to your web site first. www.yourdomain.com Add an ABC company link to your website. www.yourdomain.com/abc This gets customers in the habit of going to your website. 3
  • Whitepaper – How Not to Look Like a Phish www.truste.org Technology ‘cont TIP R AT I O N A L E : W H AT A P H I S H L O O K S L I K E WEBSITES ‘CONT REASONING EXAMPLE Don’t direct customers to websites by Some phishing attacks try to get Always identify your webservers using IP address. around the domain naming challenge their domain names – not IP addresses. by simply linking to a server by its IP Use: address. Always use fully-qualified http://www.yourdomain.com domains and site names. Avoid: http://66.55.44.21 Don’t open new browser windows Customers should be afforded the Use pop up windows with address with limited functionality. confidence that new browser windows bars, clear URLs, and navigational are authentic too. When your site spawns elements like back bars. a new window, make sure that the browser address bar and navigational buttons are provided. Don’t rely on pop-up windows for Some scams pop-up fraudulent windows data collection, especially those with over legitimate websites to lend the no address bar or navigational elements. pop-ups credibility. Use windows with address bars, clear URLs, and nav i g a- tional elements like back buttons. Don’t use instant messaging or chat Give your customers every opportunity Your sales team wants to upsell new with your customers unless they to feel confident they are dealing with products to current customers. Do not initiate the communication. an authentic operation. initiate instant message c m u n i c a t i o n s o m with customers, as this is a mode of communication frequently used by phishers. Only allow customers to initiate the instant message communication. PROTECTION REASONING EXAMPLE Don’t let cyber-squatters stake a claim. Pursue cyber-squatters, including those Conduct periodic domain name searches who exploit loop-holes in the to assess whether the company’s brand International Domain Name support is being exploited. Also consider 3rd features. Make sure that look-alike party, internet brand protection services domain names aren’t used for or tools which can gather this informa- fraudulent purposes. tion for all relevant company-related trademarked or copyrighted names or slogans. 4
  • Whitepaper – How Not to Look Like a Phish www.truste.org Technology ‘cont TIP R AT I O N A L E : W H AT A P H I S H L O O K S L I K E PROTE CTION ‘CONT REASONING EXAMPLE Do protect your own web sites and Cross-site scripting has been a common Contact a network security consultant, applications from security threats and hacker attack method for years. It is a vulnerability scanning service, or vulnerabilities, such as cross-site now being used by phishers to make purchase vulnerability scanning scripting, that can allow a scammer your site become part of the attack. software. to hijack elements of your site. Regularly assess your site security to prevent such exploits from abetting a scam. Do authenticate yourself. When possible, use digital certificates Use secure links for all login and data to allow visitors to authenticate your collection pages: site. This is especially true when https://www.yourdomain.com/regis- asking for financial or personally ter.html identifiable information. Messaging TIP R AT I O N A L E : W H AT A P H I S H L O O K S L I K E MESSAGING REASONING EXAMPLE Do proofread and spell-check all Phishing scams are often riddled with Dear Sir: communications. misspellings and other grammatical Pleese update your banc informasion. errors. Most commercial grade com- munications go through quality checks. Customers are looking for spelling Make sure yours do as well. errors. Remember to proof and spell-check all communications. Do be explicit with “warning” and Spoofers frequently send emails with Never send an email with an urgent, “immediate action required” “Warning” or “Immediate Action threatening, or time-sensitive tone communications. Required” messages and consumers are such as: wary of responding to these messages. “Update your password immediately Be sensitive and specific in your com- munications in your request and always or your account will be deleted.” redirect the individual back to your website. Do use clear branding. Although some phishers can copy Use consistent branding. company branding perfectly, others struggle with more pedestrian branding such as purloined logos. Use your branding consistently so customers know what to look for when receiving com- munication from your organization. 5
  • Whitepaper – How Not to Look Like a Phish www.truste.org Outreach TIP R AT I O N A L E : W H AT A P H I S H L O O K S L I K E METHOD REASONING Do educate your customers and Since you have focused time and resources into fighting phishing, let your customers encourage users to submit suspicious know. Communicate your practices and provide information about identity theft communications. and spoofing. Tell them you will never ask for their personal information via email. Provide links on your wesite for customers to access this type of information. In addition, encourage customers to report suspicious emails to your organization. Do have a communication plan in place Your communication plan should include an internal and external reporting to combat phishing. process, employee education, and organizational awareness. You should be in communication with the employees and customers. In addition, contact the Federal Trade Commission at spam@uce.gov (when forwarding spoofed messages, always include the entire original email with its original header information intact), Internet Fraud Complaint Center of the FBI at http://www.ifccfbi.gov, Anti-Phishing Working Group at reportphishing@antiphishing.org, and Phish Report Network at http://www.phishreport.net. Do communicate across all divisions of Keep the line of communication open between all of your divisions and your organization. business units. Do communicate across the industry. You are not alone in your struggles. Reach out to others in the industry to help combat this problem. Contact the Anti-Phishing Working Group to find other industry experts working to fight phishing and identity theft. 6
  • Whitepaper – How Not to Look Like a Phish www.truste.org About TRUSTe TRUSTe, the online privacy leader, is an independent, nonprofit organization dedicated to enabling individuals and organizations to establish trusting relationships based on respect for personal identity and information in the evolving networked world. TRUSTe operates the world’s largest Web site privacy seal program providing standards and dispute resolution for more than 1,300 Web sites. Since 1997, TRUSTe has conducted more than 7,000 Web site privacy policy certifications. Informed by extensive consumer attitude research, TRUSTe provides industry with pragmatic and respectful policy guidance for Web site practices, wireless privacy, email privacy and data security. For more information, visit www.truste.org. About Ernst & Young Ernst & Young, a global leader in professional services, is committed to restoring the public’s trust in professional services firms and in the quality of financial reporting. Its 100,000 people in 140 countries around the globe pursue the highest levels of integrity, quality, and professionalism to provide clients with solutions based on financial, transactional, compliance, and risk-management knowledge in Ernst & Young’s core services of Audit, Tax, and Transaction Advisory Services. Ernst & Young practices provides privacy and security services to clients globally. More information about these services can be found at www.ey.com/privacy and www.ey.com/security. Ernst & Young refers to all the members of the global Ernst & Young organization. Ernst & Young TRUSTe Technology & Security Risk Services 685 Market Street, Suite 560 8484 Westpark Drive San Francisco, CA 94105 McLean,VA 22102 USA www.truste.org www.truste.org © 2005 TRUSTe. All Rights Reserved.