SlideShare a Scribd company logo

TRUSTe White Paper - How Not To Look Like a Phish

TRUSTe
TRUSTe

Phishing is the criminal act of posing as a legitimate business via digital communications to extract information such as social security numbers, credit card numbers and banking account numbers. Businesses absorb more than 90 percent of phishing attack costs as consumers lose faith in Internet-based communication. TRUSTe, the leading online privacy organization, and Ernst & Young, a global leader in professional services, provide guidelines and examples to help businesses maintain safer, reassuring digital communications with customers to minimize the risks associated with phishing attacks. Businesses have a role to play in rebuilding the public’s trust in online communication channels through best practices including eliminating pop-ups, instant message and e-mail as tools for collecting information and removing cross-site scripting from a company’s Web site

TechnologyNews & Politics
1 of 8
Download to read offline
April 11, 2005 www.truste.org How Not to Look Like a Phish Tips to Help Your Organization Minimize False Positives Summary Phishing is the criminal act of posing as a legitimate business via digital communications to extract information such as social security numbers, credit card numbers and banking account numbers. Businesses absorb more than 90 percent of phishing attack costs as consumers lose faith in Internet-based communication. TRUSTe, the leading online privacy non- profit organization, and Ernst & Young, a global leader in professional services, provide guidelines and examples to help businesses maintain safer, reassuring digital communications with customers to minimize the risks associated with phishing attacks. Businesses have a role to play in rebuilding the public’s trust in online communication channels through best practices including eliminating pop-ups, instant message and e-mail as tools for collecting information and removing cross-site scripting from a company’s Web site.
Whitepaper – How Not to Look Like a Phish www.truste.org How Not to Look Like a Phish Tips to Help Your Organization Minimize False Positives THE PHISHING EPIDEMIC businesses absorbed a whopping $48 information to both avoid and report IS WORSENING billion of the cost. This number, while phishing attempts, but what informa- Phishing is an online identity theft significant, fails to account for the tion is available to organizations? technique used to lure consumers impact that customer dissatisfaction, into disclosing their personally identi- a loss of brand equity, and wasted PROTECT YOUR BRAND AND fiable information including Social resources have on organizations TAKE CONTROL Security numbers (SSN), account which are most negatively affected The threat of phishing and identity names and passwords, and credit card by phishing incidents. theft is widespread and the grim information. Oftentimes customers reality is that this problem affects all are sent emails, pop-ups, and instant The phishing epidemic is worsening. organizations. Organizations may feel messages that mimic legitimate cor- Con artists and thieves are becoming helpless that their brands are being porate communications. These com- more cunning in the way they con- hijacked and the problem is beyond munications prompt the user to visit struct emails and are discovering new their control. However, there are certain fraudulent websites created to gather techniques to carry out their schemes. measures organizations can take to their personal information. Financial Consumers are being fed information control a potential phishing problem. institutions, ISPs, and online retailers from the government, industry work- As organizations become more familiar are most susceptible to having their ing groups, individual organizations, with the techniques of phishers, it is brand spoofed in phishing attempts. and the media about the dangers of important that they adopt new tech- In fact, the most trusted brands are phishing attempts. As a result, online nologies and evaluate their current often the most susceptible to being consumers are growing more skeptical technologies. It is equally important hijacked. In the end, consumers are about email and want to see action that organizations effectively commu- lured in by these seemingly legitimate taken to combat this problem. nicate the dangers of phishing with communications into providing sensi- staff, within the industry, and with CONSUMERS WANT ACTION consumers. tive information, often resulting in According to an online consumer credit card fraud, identify theft, and study conducted by TRUSTe and the TRUSTe and Ernst & Young have even financial loss. Ponemon Institute, 64% of respon- created the following recommenda- Consumers are not the only stake- dents believe it is unacceptable for tions to help guide behavior in an holders affected by phishing and organizations to do nothing about organization’s communications and identity theft. While consumers bear spoofing and phishing and 76% say websites in order to minimize false large emotional costs as victims of organizations should be required to positives and build consumer confi- identity theft, businesses bear signifi- educate their customers. Industry dence. In the end, this guide will cant financial burdens. The FTC anti-phishing groups are surfacing help you avoid looking like a phish. reported in 2003, that identity theft and legislation is being crafted to cost Americans approximately $53 combat online fraud. But how are billion dollars the year before. It was organizations preparing to protect estimated that consumers absorbed themselves and their resources? $5 billion of the cost, whereas Consumers are being armed with 1
Whitepaper – How Not to Look Like a Phish www.truste.org Technology TIP R AT I O N A L E : W H AT A P H I S H L O O K S L I K E MESSAGE REASONING EXAMPLE Don’t get your customers in the habit If customers are not used to responding You have sent a customer a package of responding to messages in ways that to messages from your organization by and their shipping information is they are receiving phishing messages. email, pop up, or instant message, they incorrect. The information needs to are more likely to be skeptical of be updated immediately so that the spoofed communications. package is delivered on time and to the correct location. Instead of sending an email or instant message requesting the user to reply Don’t request personal information If customers are not used to providing with his/her personal information, get from customers directly from an email personal information via email, pop up, customers in the habit of going directly hyperlink. or instant message, they are less likely to your website. to provide personal information to spoofed communications. Never send emails asking customers to supply, verify, or update personal or account inform a t i o n . Especially stay away from requests pertaining to passwords, SSN’s, PIN’s, and account numbers. DELIVERY REASONING EXAMPLE Don’t use “click here” hyperlinks. Obscure “click here” hyperlinks are Direct customers to your website: common in spoofed messages. No www.yourcompany.com hyperlinks should be distributed to the customer since the hyperlinked text versus can appear different than the link the Providing a link to click: user is taken to after clicking the link. click here Get your customers in the habit of clicking on the visible URL or going to your website directly. Do personalize email when possible. You know your customers’ names. Use Use: them. Sending emails with personalized Dear James, or Dear James Smith information helps users identify versus legitimate versus spoofed email. Dear Sir or Madam, or Greetings More personalized communications will allow consumers to recognize you as a legitimate sender. 2
Whitepaper – How Not to Look Like a Phish www.truste.org Technology ‘cont TIP R AT I O N A L E : W H AT A P H I S H L O O K S L I K E DELIVERY ‘CONT REASONING EXAMPLE Don’t link to third party sites from Don’t let your customers get in the Instead of using third-party or proxy your email messages. habit of clicking through to someone links like: else’s domain to do business with you. http://www.deliveryspecialist.com?redi- Use your own domain whenever rect=www.yourdomain.com possible. Pay special attention to the Use links directly to your domain. URLs used by your email vendors on your behalf. Don’t redirect from the URL Phishers use redirects to make it seem provided to another domain. that links click through to legitimate websites. If you need to track the performance of an email campaign, try to use other techniques so consumers see clear URLs. Don’t use long URLs or Many spoofed emails use long, Avoid links like: complex links. complex links and URLs. Clean http://www.yourdomain.com?fr=453&s links are ideal. pid=FD234&h=2 Keep links simple. Track reference information using cookies, or with simple reference codes: http://www.yourdomain.com?ref=325281 WEBSITES REASONING EXAMPLE Do use clean and crisp domain naming Complex domain names and website Use: strategies. URLs only confuse. Use clear naming www.yourcompany.com/freepromtion.com for domains and websites. versus www.x3429yourcomany.com/1jdif/pro- motion Do get customers used to entering Customers in the habit of going to You are offering a special promotion your site through the home page on strangely named web sites are more with ABC company and want cus- your main domain before going to likely to fall for spoofed sites. Foster tomers to go to the ABC website. special or uniquely-named domains. safe habits with your use of domain www.abc.com and site names. Instead of directing customers to ABC company’s website, direct them to your web site first. www.yourdomain.com Add an ABC company link to your website. www.yourdomain.com/abc This gets customers in the habit of going to your website. 3
Whitepaper – How Not to Look Like a Phish www.truste.org Technology ‘cont TIP R AT I O N A L E : W H AT A P H I S H L O O K S L I K E WEBSITES ‘CONT REASONING EXAMPLE Don’t direct customers to websites by Some phishing attacks try to get Always identify your webservers using IP address. around the domain naming challenge their domain names – not IP addresses. by simply linking to a server by its IP Use: address. Always use fully-qualified http://www.yourdomain.com domains and site names. Avoid: http://66.55.44.21 Don’t open new browser windows Customers should be afforded the Use pop up windows with address with limited functionality. confidence that new browser windows bars, clear URLs, and navigational are authentic too. When your site spawns elements like back bars. a new window, make sure that the browser address bar and navigational buttons are provided. Don’t rely on pop-up windows for Some scams pop-up fraudulent windows data collection, especially those with over legitimate websites to lend the no address bar or navigational elements. pop-ups credibility. Use windows with address bars, clear URLs, and nav i g a- tional elements like back buttons. Don’t use instant messaging or chat Give your customers every opportunity Your sales team wants to upsell new with your customers unless they to feel confident they are dealing with products to current customers. Do not initiate the communication. an authentic operation. initiate instant message c m u n i c a t i o n s o m with customers, as this is a mode of communication frequently used by phishers. Only allow customers to initiate the instant message communication. PROTECTION REASONING EXAMPLE Don’t let cyber-squatters stake a claim. Pursue cyber-squatters, including those Conduct periodic domain name searches who exploit loop-holes in the to assess whether the company’s brand International Domain Name support is being exploited. Also consider 3rd features. Make sure that look-alike party, internet brand protection services domain names aren’t used for or tools which can gather this informa- fraudulent purposes. tion for all relevant company-related trademarked or copyrighted names or slogans. 4
Whitepaper – How Not to Look Like a Phish www.truste.org Technology ‘cont TIP R AT I O N A L E : W H AT A P H I S H L O O K S L I K E PROTE CTION ‘CONT REASONING EXAMPLE Do protect your own web sites and Cross-site scripting has been a common Contact a network security consultant, applications from security threats and hacker attack method for years. It is a vulnerability scanning service, or vulnerabilities, such as cross-site now being used by phishers to make purchase vulnerability scanning scripting, that can allow a scammer your site become part of the attack. software. to hijack elements of your site. Regularly assess your site security to prevent such exploits from abetting a scam. Do authenticate yourself. When possible, use digital certificates Use secure links for all login and data to allow visitors to authenticate your collection pages: site. This is especially true when https://www.yourdomain.com/regis- asking for financial or personally ter.html identifiable information. Messaging TIP R AT I O N A L E : W H AT A P H I S H L O O K S L I K E MESSAGING REASONING EXAMPLE Do proofread and spell-check all Phishing scams are often riddled with Dear Sir: communications. misspellings and other grammatical Pleese update your banc informasion. errors. Most commercial grade com- munications go through quality checks. Customers are looking for spelling Make sure yours do as well. errors. Remember to proof and spell-check all communications. Do be explicit with “warning” and Spoofers frequently send emails with Never send an email with an urgent, “immediate action required” “Warning” or “Immediate Action threatening, or time-sensitive tone communications. Required” messages and consumers are such as: wary of responding to these messages. “Update your password immediately Be sensitive and specific in your com- munications in your request and always or your account will be deleted.” redirect the individual back to your website. Do use clear branding. Although some phishers can copy Use consistent branding. company branding perfectly, others struggle with more pedestrian branding such as purloined logos. Use your branding consistently so customers know what to look for when receiving com- munication from your organization. 5
Whitepaper – How Not to Look Like a Phish www.truste.org Outreach TIP R AT I O N A L E : W H AT A P H I S H L O O K S L I K E METHOD REASONING Do educate your customers and Since you have focused time and resources into fighting phishing, let your customers encourage users to submit suspicious know. Communicate your practices and provide information about identity theft communications. and spoofing. Tell them you will never ask for their personal information via email. Provide links on your wesite for customers to access this type of information. In addition, encourage customers to report suspicious emails to your organization. Do have a communication plan in place Your communication plan should include an internal and external reporting to combat phishing. process, employee education, and organizational awareness. You should be in communication with the employees and customers. In addition, contact the Federal Trade Commission at spam@uce.gov (when forwarding spoofed messages, always include the entire original email with its original header information intact), Internet Fraud Complaint Center of the FBI at http://www.ifccfbi.gov, Anti-Phishing Working Group at reportphishing@antiphishing.org, and Phish Report Network at http://www.phishreport.net. Do communicate across all divisions of Keep the line of communication open between all of your divisions and your organization. business units. Do communicate across the industry. You are not alone in your struggles. Reach out to others in the industry to help combat this problem. Contact the Anti-Phishing Working Group to find other industry experts working to fight phishing and identity theft. 6
Whitepaper – How Not to Look Like a Phish www.truste.org About TRUSTe TRUSTe, the online privacy leader, is an independent, nonprofit organization dedicated to enabling individuals and organizations to establish trusting relationships based on respect for personal identity and information in the evolving networked world. TRUSTe operates the world’s largest Web site privacy seal program providing standards and dispute resolution for more than 1,300 Web sites. Since 1997, TRUSTe has conducted more than 7,000 Web site privacy policy certifications. Informed by extensive consumer attitude research, TRUSTe provides industry with pragmatic and respectful policy guidance for Web site practices, wireless privacy, email privacy and data security. For more information, visit www.truste.org. About Ernst & Young Ernst & Young, a global leader in professional services, is committed to restoring the public’s trust in professional services firms and in the quality of financial reporting. Its 100,000 people in 140 countries around the globe pursue the highest levels of integrity, quality, and professionalism to provide clients with solutions based on financial, transactional, compliance, and risk-management knowledge in Ernst & Young’s core services of Audit, Tax, and Transaction Advisory Services. Ernst & Young practices provides privacy and security services to clients globally. More information about these services can be found at www.ey.com/privacy and www.ey.com/security. Ernst & Young refers to all the members of the global Ernst & Young organization. Ernst & Young TRUSTe Technology & Security Risk Services 685 Market Street, Suite 560 8484 Westpark Drive San Francisco, CA 94105 McLean,VA 22102 USA www.truste.org www.truste.org © 2005 TRUSTe. All Rights Reserved.

Recommended

Crisis economica equipo 3
Crisis economica equipo 3Crisis economica equipo 3
Crisis economica equipo 3Neko Hernandez
 
Race with Me - 2013 Komen Race for Cure
Race with Me - 2013 Komen Race for CureRace with Me - 2013 Komen Race for Cure
Race with Me - 2013 Komen Race for CureMonza Williams
 
Session summary downloadable template 080511
Session summary downloadable template 080511Session summary downloadable template 080511
Session summary downloadable template 080511Ateneo Graduate School of Business
 
STUDENTS’ ATTITUDE TO M-LEARNING
STUDENTS’ ATTITUDE TO M-LEARNINGSTUDENTS’ ATTITUDE TO M-LEARNING
STUDENTS’ ATTITUDE TO M-LEARNINGgjadkov
 
New Rules Of Marketing And PR
New Rules Of Marketing And PRNew Rules Of Marketing And PR
New Rules Of Marketing And PRROI Communication
 
How to Integrate Privacy into Your Customer Care
How to Integrate Privacy into Your Customer CareHow to Integrate Privacy into Your Customer Care
How to Integrate Privacy into Your Customer CareTRUSTe
 
How to use privacy seals to improve privacy practices and increase sales
How to use privacy seals to improve privacy practices and increase salesHow to use privacy seals to improve privacy practices and increase sales
How to use privacy seals to improve privacy practices and increase salesTRUSTe
 
TRUSTe whitepaper- A Checklist of Practices that Impact Consumer Trust
TRUSTe whitepaper- A Checklist of Practices that Impact Consumer TrustTRUSTe whitepaper- A Checklist of Practices that Impact Consumer Trust
TRUSTe whitepaper- A Checklist of Practices that Impact Consumer TrustTRUSTe
 

Recommended

Crisis economica equipo 3
Crisis economica equipo 3Crisis economica equipo 3
Crisis economica equipo 3Neko Hernandez
 
Race with Me - 2013 Komen Race for Cure
Race with Me - 2013 Komen Race for CureRace with Me - 2013 Komen Race for Cure
Race with Me - 2013 Komen Race for CureMonza Williams
 
Session summary downloadable template 080511
Session summary downloadable template 080511Session summary downloadable template 080511
Session summary downloadable template 080511Ateneo Graduate School of Business
 
STUDENTS’ ATTITUDE TO M-LEARNING
STUDENTS’ ATTITUDE TO M-LEARNINGSTUDENTS’ ATTITUDE TO M-LEARNING
STUDENTS’ ATTITUDE TO M-LEARNINGgjadkov
 
New Rules Of Marketing And PR
New Rules Of Marketing And PRNew Rules Of Marketing And PR
New Rules Of Marketing And PRROI Communication
 
How to Integrate Privacy into Your Customer Care
How to Integrate Privacy into Your Customer CareHow to Integrate Privacy into Your Customer Care
How to Integrate Privacy into Your Customer CareTRUSTe
 
How to use privacy seals to improve privacy practices and increase sales
How to use privacy seals to improve privacy practices and increase salesHow to use privacy seals to improve privacy practices and increase sales
How to use privacy seals to improve privacy practices and increase salesTRUSTe
 
TRUSTe whitepaper- A Checklist of Practices that Impact Consumer Trust
TRUSTe whitepaper- A Checklist of Practices that Impact Consumer TrustTRUSTe whitepaper- A Checklist of Practices that Impact Consumer Trust
TRUSTe whitepaper- A Checklist of Practices that Impact Consumer TrustTRUSTe
 
TNS-TRUSTe Study: Consumer Attitudes about Biometrics in ID Documents
TNS-TRUSTe Study: Consumer Attitudes about Biometrics in ID DocumentsTNS-TRUSTe Study: Consumer Attitudes about Biometrics in ID Documents
TNS-TRUSTe Study: Consumer Attitudes about Biometrics in ID DocumentsTRUSTe
 
TRUSTe/Epsilon Whitepaper -- Best Practices that Minimize Email Complaints
TRUSTe/Epsilon Whitepaper -- Best Practices that Minimize Email ComplaintsTRUSTe/Epsilon Whitepaper -- Best Practices that Minimize Email Complaints
TRUSTe/Epsilon Whitepaper -- Best Practices that Minimize Email ComplaintsTRUSTe
 
Trusted Download Program: A Year in the Trenches - How Trusted Downloads Make...
Trusted Download Program: A Year in the Trenches - How Trusted Downloads Make...Trusted Download Program: A Year in the Trenches - How Trusted Downloads Make...
Trusted Download Program: A Year in the Trenches - How Trusted Downloads Make...TRUSTe
 
TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0TRUSTe
 
How to Integrate Privacy into Your Customer Care
How to Integrate Privacy into Your Customer CareHow to Integrate Privacy into Your Customer Care
How to Integrate Privacy into Your Customer CareTRUSTe
 
Boosting online conversions with the TRUSTe web privacy seal
Boosting online conversions with the TRUSTe web privacy sealBoosting online conversions with the TRUSTe web privacy seal
Boosting online conversions with the TRUSTe web privacy sealTRUSTe
 
Steps to prepare for TRUSTe EU certification
Steps to prepare for TRUSTe EU certificationSteps to prepare for TRUSTe EU certification
Steps to prepare for TRUSTe EU certificationTRUSTe
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsFact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsZilliz
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesExploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesSanjay Willie
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 

More Related Content

More from TRUSTe

TNS-TRUSTe Study: Consumer Attitudes about Biometrics in ID Documents
TNS-TRUSTe Study: Consumer Attitudes about Biometrics in ID DocumentsTNS-TRUSTe Study: Consumer Attitudes about Biometrics in ID Documents
TNS-TRUSTe Study: Consumer Attitudes about Biometrics in ID DocumentsTRUSTe
 
TRUSTe/Epsilon Whitepaper -- Best Practices that Minimize Email Complaints
TRUSTe/Epsilon Whitepaper -- Best Practices that Minimize Email ComplaintsTRUSTe/Epsilon Whitepaper -- Best Practices that Minimize Email Complaints
TRUSTe/Epsilon Whitepaper -- Best Practices that Minimize Email ComplaintsTRUSTe
 
Trusted Download Program: A Year in the Trenches - How Trusted Downloads Make...
Trusted Download Program: A Year in the Trenches - How Trusted Downloads Make...Trusted Download Program: A Year in the Trenches - How Trusted Downloads Make...
Trusted Download Program: A Year in the Trenches - How Trusted Downloads Make...TRUSTe
 
TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0TRUSTe
 
How to Integrate Privacy into Your Customer Care
How to Integrate Privacy into Your Customer CareHow to Integrate Privacy into Your Customer Care
How to Integrate Privacy into Your Customer CareTRUSTe
 
Boosting online conversions with the TRUSTe web privacy seal
Boosting online conversions with the TRUSTe web privacy sealBoosting online conversions with the TRUSTe web privacy seal
Boosting online conversions with the TRUSTe web privacy sealTRUSTe
 
Steps to prepare for TRUSTe EU certification
Steps to prepare for TRUSTe EU certificationSteps to prepare for TRUSTe EU certification
Steps to prepare for TRUSTe EU certificationTRUSTe
 

More from TRUSTe (7)

TNS-TRUSTe Study: Consumer Attitudes about Biometrics in ID Documents
TNS-TRUSTe Study: Consumer Attitudes about Biometrics in ID DocumentsTNS-TRUSTe Study: Consumer Attitudes about Biometrics in ID Documents
TNS-TRUSTe Study: Consumer Attitudes about Biometrics in ID Documents
 
TRUSTe/Epsilon Whitepaper -- Best Practices that Minimize Email Complaints
TRUSTe/Epsilon Whitepaper -- Best Practices that Minimize Email ComplaintsTRUSTe/Epsilon Whitepaper -- Best Practices that Minimize Email Complaints
TRUSTe/Epsilon Whitepaper -- Best Practices that Minimize Email Complaints
 
Trusted Download Program: A Year in the Trenches - How Trusted Downloads Make...
Trusted Download Program: A Year in the Trenches - How Trusted Downloads Make...Trusted Download Program: A Year in the Trenches - How Trusted Downloads Make...
Trusted Download Program: A Year in the Trenches - How Trusted Downloads Make...
 
TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0
 
How to Integrate Privacy into Your Customer Care
How to Integrate Privacy into Your Customer CareHow to Integrate Privacy into Your Customer Care
How to Integrate Privacy into Your Customer Care
 
Boosting online conversions with the TRUSTe web privacy seal
Boosting online conversions with the TRUSTe web privacy sealBoosting online conversions with the TRUSTe web privacy seal
Boosting online conversions with the TRUSTe web privacy seal
 
Steps to prepare for TRUSTe EU certification
Steps to prepare for TRUSTe EU certificationSteps to prepare for TRUSTe EU certification
Steps to prepare for TRUSTe EU certification
 

Recently uploaded

Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsFact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsZilliz
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesExploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesSanjay Willie
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 

Recently uploaded (20)

Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsFact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesExploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 

TRUSTe White Paper - How Not To Look Like a Phish

  • 1. April 11, 2005 www.truste.org How Not to Look Like a Phish Tips to Help Your Organization Minimize False Positives Summary Phishing is the criminal act of posing as a legitimate business via digital communications to extract information such as social security numbers, credit card numbers and banking account numbers. Businesses absorb more than 90 percent of phishing attack costs as consumers lose faith in Internet-based communication. TRUSTe, the leading online privacy non- profit organization, and Ernst & Young, a global leader in professional services, provide guidelines and examples to help businesses maintain safer, reassuring digital communications with customers to minimize the risks associated with phishing attacks. Businesses have a role to play in rebuilding the public’s trust in online communication channels through best practices including eliminating pop-ups, instant message and e-mail as tools for collecting information and removing cross-site scripting from a company’s Web site.
  • 2. Whitepaper – How Not to Look Like a Phish www.truste.org How Not to Look Like a Phish Tips to Help Your Organization Minimize False Positives THE PHISHING EPIDEMIC businesses absorbed a whopping $48 information to both avoid and report IS WORSENING billion of the cost. This number, while phishing attempts, but what informa- Phishing is an online identity theft significant, fails to account for the tion is available to organizations? technique used to lure consumers impact that customer dissatisfaction, into disclosing their personally identi- a loss of brand equity, and wasted PROTECT YOUR BRAND AND fiable information including Social resources have on organizations TAKE CONTROL Security numbers (SSN), account which are most negatively affected The threat of phishing and identity names and passwords, and credit card by phishing incidents. theft is widespread and the grim information. Oftentimes customers reality is that this problem affects all are sent emails, pop-ups, and instant The phishing epidemic is worsening. organizations. Organizations may feel messages that mimic legitimate cor- Con artists and thieves are becoming helpless that their brands are being porate communications. These com- more cunning in the way they con- hijacked and the problem is beyond munications prompt the user to visit struct emails and are discovering new their control. However, there are certain fraudulent websites created to gather techniques to carry out their schemes. measures organizations can take to their personal information. Financial Consumers are being fed information control a potential phishing problem. institutions, ISPs, and online retailers from the government, industry work- As organizations become more familiar are most susceptible to having their ing groups, individual organizations, with the techniques of phishers, it is brand spoofed in phishing attempts. and the media about the dangers of important that they adopt new tech- In fact, the most trusted brands are phishing attempts. As a result, online nologies and evaluate their current often the most susceptible to being consumers are growing more skeptical technologies. It is equally important hijacked. In the end, consumers are about email and want to see action that organizations effectively commu- lured in by these seemingly legitimate taken to combat this problem. nicate the dangers of phishing with communications into providing sensi- staff, within the industry, and with CONSUMERS WANT ACTION consumers. tive information, often resulting in According to an online consumer credit card fraud, identify theft, and study conducted by TRUSTe and the TRUSTe and Ernst & Young have even financial loss. Ponemon Institute, 64% of respon- created the following recommenda- Consumers are not the only stake- dents believe it is unacceptable for tions to help guide behavior in an holders affected by phishing and organizations to do nothing about organization’s communications and identity theft. While consumers bear spoofing and phishing and 76% say websites in order to minimize false large emotional costs as victims of organizations should be required to positives and build consumer confi- identity theft, businesses bear signifi- educate their customers. Industry dence. In the end, this guide will cant financial burdens. The FTC anti-phishing groups are surfacing help you avoid looking like a phish. reported in 2003, that identity theft and legislation is being crafted to cost Americans approximately $53 combat online fraud. But how are billion dollars the year before. It was organizations preparing to protect estimated that consumers absorbed themselves and their resources? $5 billion of the cost, whereas Consumers are being armed with 1
  • 3. Whitepaper – How Not to Look Like a Phish www.truste.org Technology TIP R AT I O N A L E : W H AT A P H I S H L O O K S L I K E MESSAGE REASONING EXAMPLE Don’t get your customers in the habit If customers are not used to responding You have sent a customer a package of responding to messages in ways that to messages from your organization by and their shipping information is they are receiving phishing messages. email, pop up, or instant message, they incorrect. The information needs to are more likely to be skeptical of be updated immediately so that the spoofed communications. package is delivered on time and to the correct location. Instead of sending an email or instant message requesting the user to reply Don’t request personal information If customers are not used to providing with his/her personal information, get from customers directly from an email personal information via email, pop up, customers in the habit of going directly hyperlink. or instant message, they are less likely to your website. to provide personal information to spoofed communications. Never send emails asking customers to supply, verify, or update personal or account inform a t i o n . Especially stay away from requests pertaining to passwords, SSN’s, PIN’s, and account numbers. DELIVERY REASONING EXAMPLE Don’t use “click here” hyperlinks. Obscure “click here” hyperlinks are Direct customers to your website: common in spoofed messages. No www.yourcompany.com hyperlinks should be distributed to the customer since the hyperlinked text versus can appear different than the link the Providing a link to click: user is taken to after clicking the link. click here Get your customers in the habit of clicking on the visible URL or going to your website directly. Do personalize email when possible. You know your customers’ names. Use Use: them. Sending emails with personalized Dear James, or Dear James Smith information helps users identify versus legitimate versus spoofed email. Dear Sir or Madam, or Greetings More personalized communications will allow consumers to recognize you as a legitimate sender. 2
  • 4. Whitepaper – How Not to Look Like a Phish www.truste.org Technology ‘cont TIP R AT I O N A L E : W H AT A P H I S H L O O K S L I K E DELIVERY ‘CONT REASONING EXAMPLE Don’t link to third party sites from Don’t let your customers get in the Instead of using third-party or proxy your email messages. habit of clicking through to someone links like: else’s domain to do business with you. http://www.deliveryspecialist.com?redi- Use your own domain whenever rect=www.yourdomain.com possible. Pay special attention to the Use links directly to your domain. URLs used by your email vendors on your behalf. Don’t redirect from the URL Phishers use redirects to make it seem provided to another domain. that links click through to legitimate websites. If you need to track the performance of an email campaign, try to use other techniques so consumers see clear URLs. Don’t use long URLs or Many spoofed emails use long, Avoid links like: complex links. complex links and URLs. Clean http://www.yourdomain.com?fr=453&s links are ideal. pid=FD234&h=2 Keep links simple. Track reference information using cookies, or with simple reference codes: http://www.yourdomain.com?ref=325281 WEBSITES REASONING EXAMPLE Do use clean and crisp domain naming Complex domain names and website Use: strategies. URLs only confuse. Use clear naming www.yourcompany.com/freepromtion.com for domains and websites. versus www.x3429yourcomany.com/1jdif/pro- motion Do get customers used to entering Customers in the habit of going to You are offering a special promotion your site through the home page on strangely named web sites are more with ABC company and want cus- your main domain before going to likely to fall for spoofed sites. Foster tomers to go to the ABC website. special or uniquely-named domains. safe habits with your use of domain www.abc.com and site names. Instead of directing customers to ABC company’s website, direct them to your web site first. www.yourdomain.com Add an ABC company link to your website. www.yourdomain.com/abc This gets customers in the habit of going to your website. 3
  • 5. Whitepaper – How Not to Look Like a Phish www.truste.org Technology ‘cont TIP R AT I O N A L E : W H AT A P H I S H L O O K S L I K E WEBSITES ‘CONT REASONING EXAMPLE Don’t direct customers to websites by Some phishing attacks try to get Always identify your webservers using IP address. around the domain naming challenge their domain names – not IP addresses. by simply linking to a server by its IP Use: address. Always use fully-qualified http://www.yourdomain.com domains and site names. Avoid: http://66.55.44.21 Don’t open new browser windows Customers should be afforded the Use pop up windows with address with limited functionality. confidence that new browser windows bars, clear URLs, and navigational are authentic too. When your site spawns elements like back bars. a new window, make sure that the browser address bar and navigational buttons are provided. Don’t rely on pop-up windows for Some scams pop-up fraudulent windows data collection, especially those with over legitimate websites to lend the no address bar or navigational elements. pop-ups credibility. Use windows with address bars, clear URLs, and nav i g a- tional elements like back buttons. Don’t use instant messaging or chat Give your customers every opportunity Your sales team wants to upsell new with your customers unless they to feel confident they are dealing with products to current customers. Do not initiate the communication. an authentic operation. initiate instant message c m u n i c a t i o n s o m with customers, as this is a mode of communication frequently used by phishers. Only allow customers to initiate the instant message communication. PROTECTION REASONING EXAMPLE Don’t let cyber-squatters stake a claim. Pursue cyber-squatters, including those Conduct periodic domain name searches who exploit loop-holes in the to assess whether the company’s brand International Domain Name support is being exploited. Also consider 3rd features. Make sure that look-alike party, internet brand protection services domain names aren’t used for or tools which can gather this informa- fraudulent purposes. tion for all relevant company-related trademarked or copyrighted names or slogans. 4
  • 6. Whitepaper – How Not to Look Like a Phish www.truste.org Technology ‘cont TIP R AT I O N A L E : W H AT A P H I S H L O O K S L I K E PROTE CTION ‘CONT REASONING EXAMPLE Do protect your own web sites and Cross-site scripting has been a common Contact a network security consultant, applications from security threats and hacker attack method for years. It is a vulnerability scanning service, or vulnerabilities, such as cross-site now being used by phishers to make purchase vulnerability scanning scripting, that can allow a scammer your site become part of the attack. software. to hijack elements of your site. Regularly assess your site security to prevent such exploits from abetting a scam. Do authenticate yourself. When possible, use digital certificates Use secure links for all login and data to allow visitors to authenticate your collection pages: site. This is especially true when https://www.yourdomain.com/regis- asking for financial or personally ter.html identifiable information. Messaging TIP R AT I O N A L E : W H AT A P H I S H L O O K S L I K E MESSAGING REASONING EXAMPLE Do proofread and spell-check all Phishing scams are often riddled with Dear Sir: communications. misspellings and other grammatical Pleese update your banc informasion. errors. Most commercial grade com- munications go through quality checks. Customers are looking for spelling Make sure yours do as well. errors. Remember to proof and spell-check all communications. Do be explicit with “warning” and Spoofers frequently send emails with Never send an email with an urgent, “immediate action required” “Warning” or “Immediate Action threatening, or time-sensitive tone communications. Required” messages and consumers are such as: wary of responding to these messages. “Update your password immediately Be sensitive and specific in your com- munications in your request and always or your account will be deleted.” redirect the individual back to your website. Do use clear branding. Although some phishers can copy Use consistent branding. company branding perfectly, others struggle with more pedestrian branding such as purloined logos. Use your branding consistently so customers know what to look for when receiving com- munication from your organization. 5
  • 7. Whitepaper – How Not to Look Like a Phish www.truste.org Outreach TIP R AT I O N A L E : W H AT A P H I S H L O O K S L I K E METHOD REASONING Do educate your customers and Since you have focused time and resources into fighting phishing, let your customers encourage users to submit suspicious know. Communicate your practices and provide information about identity theft communications. and spoofing. Tell them you will never ask for their personal information via email. Provide links on your wesite for customers to access this type of information. In addition, encourage customers to report suspicious emails to your organization. Do have a communication plan in place Your communication plan should include an internal and external reporting to combat phishing. process, employee education, and organizational awareness. You should be in communication with the employees and customers. In addition, contact the Federal Trade Commission at spam@uce.gov (when forwarding spoofed messages, always include the entire original email with its original header information intact), Internet Fraud Complaint Center of the FBI at http://www.ifccfbi.gov, Anti-Phishing Working Group at reportphishing@antiphishing.org, and Phish Report Network at http://www.phishreport.net. Do communicate across all divisions of Keep the line of communication open between all of your divisions and your organization. business units. Do communicate across the industry. You are not alone in your struggles. Reach out to others in the industry to help combat this problem. Contact the Anti-Phishing Working Group to find other industry experts working to fight phishing and identity theft. 6
  • 8. Whitepaper – How Not to Look Like a Phish www.truste.org About TRUSTe TRUSTe, the online privacy leader, is an independent, nonprofit organization dedicated to enabling individuals and organizations to establish trusting relationships based on respect for personal identity and information in the evolving networked world. TRUSTe operates the world’s largest Web site privacy seal program providing standards and dispute resolution for more than 1,300 Web sites. Since 1997, TRUSTe has conducted more than 7,000 Web site privacy policy certifications. Informed by extensive consumer attitude research, TRUSTe provides industry with pragmatic and respectful policy guidance for Web site practices, wireless privacy, email privacy and data security. For more information, visit www.truste.org. About Ernst & Young Ernst & Young, a global leader in professional services, is committed to restoring the public’s trust in professional services firms and in the quality of financial reporting. Its 100,000 people in 140 countries around the globe pursue the highest levels of integrity, quality, and professionalism to provide clients with solutions based on financial, transactional, compliance, and risk-management knowledge in Ernst & Young’s core services of Audit, Tax, and Transaction Advisory Services. Ernst & Young practices provides privacy and security services to clients globally. More information about these services can be found at www.ey.com/privacy and www.ey.com/security. Ernst & Young refers to all the members of the global Ernst & Young organization. Ernst & Young TRUSTe Technology & Security Risk Services 685 Market Street, Suite 560 8484 Westpark Drive San Francisco, CA 94105 McLean,VA 22102 USA www.truste.org www.truste.org © 2005 TRUSTe. All Rights Reserved.