How SMBs can avoid phishing hooks

Small businesses are becoming targets of phishing scams. A Symantec executive outlines basic guidelines on how to avoid such attacks.
Written by Ronnie Ng, Contributor

Phishing continues to be one of the most prevalent Internet threats today. But while large enterprises were previously primary targets for such attacks, small and midsize businesses (SMBs) are now becoming popular targets as these companies often lack the ability to protect themselves.

In Symantec's Internet Security Threat Report, 87,963 phishing hosts were detected in the second half of 2007, a 167 percent increase from the first half of 2007. Phishing hosts are computers that can host one or more phishing Web sites, which are malicious sites designed to resemble legitimate Web sites.

In the past, phishing attacks on businesses have been solely dedicated to larger enterprises. But, this is no longer so. Small businesses are becoming targets of these attacks as they often lack the resources to protect themselves.

A Web server belonging to a small company makes an ideal platform for phishers to use as a host, because small businesses often lack full-time administrative or security staff.

However, all is not lost. There are a number of precautions that small businesses can take to reduce their exposure to this growing Internet threat.

These steps begin with understanding what phishing entails, followed by educating employees and customers about the dangers of phishing.

Basic guidelines for recognizing and avoiding phishing traps include the need to:

•  Know how phishing attacks work
Phishing is an attempt by a third-party to solicit confidential information from an individual, group, or organization, often for financial gain.

Phishers are groups or individuals who attempt to trick their victims into disclosing personal data, such as credit card numbers, online banking credentials, and other confidential information. The information can then be used to commit fraudulent acts.

In a common scenario, phishers will send mass e-mail that appear to come from a legitimate company, and often try to evoke an emotional response to a phony crisis. Usually a request for sensitive information is made, sometimes directing the recipient to a spoofed Web page.

The Web page, like the e-mail, appears authentic as the phishers often use copyright images from the original site. In some instances, its URL has been masked so even the Web address looks real.

Because the e-mail and its corresponding Web page's look-and-feel seem bona fide, the phishers hope at least a fraction of recipients would be fooled into submitting their personal data, such as passwords and user IDs as they normally would in the legitimate site.

The phishers would then use the data to defraud the victims, for example, by emptying the victim's bank account, or opening new accounts, or selling the information on the black market for a profit.

•  Be cognizant of phishing attempts
E-mail messages asking for confidential information, especially those of a financial nature, are usually phishing attempts.

Since the discovery of these attempts, financial institutions have discontinued the practice of asking for sensitive personal information via e-mail. In addition, e-mail messages from legitimate companies will not usually include links.

Should an SMB's employees receive such requests in an e-mail, the best thing to do is report the incident to anti-phishing organizations.

•  Approach generic requests carefully
E-mail with generic-looking requests should immediately raise red flags. Spoof e-mail messages are usually impersonal, often beginning with "Dear Sir" or "Dear Madam". Moreover, fake e-mail from financial institutions will often reference the business or an account they have with that institution.

The best way to work around these e-mail messages is to manually type the actual URL into the address bar on your browser, so you will be sure that you are accessing the legitimate site.

•  Avoid embedded forms
Embedded documents or forms should be especially avoided. If employees submit confidential information on forms embedded in an e-mail message, that information is at risk of falling into the wrong hands. Never submit confidential information via forms embedded within e-mail messages.

Should employees need to submit corporate credit card numbers or other confidential information over the Internet, make sure they know the site is authentic and use encryption to secure the data.

If a Web page is encrypted, there should be a "locked" icon in one corner of the browser and the Web address will begin with "https" rather than "http". However, some phishing sites place fake lock icons on their pages, so make sure the icon is part of the browser's window frame--and not part of the Web page itself.

Also, having the site's address begin with https does not necessarily mean the site is secure, or even authentic. Sophisticated phishers have begun using URL-masking techniques to mimic the secure addresses of actual companies.

If your employees are uncertain if a site is legitimate, have an IT professional look into it or call the site's owner to confirm the URL's authenticity.

•  Exercise restraint
Do not feel pressured into providing sensitive information. Phishers commonly employ scare tactics, and may threaten to disable an account or delay services until their targeted victims update certain information.

Instead of giving in to such requests, contact the merchant directly offline to confirm the authenticity of the request.

As mentioned above, the new focus on small businesses poses a potential threat to these enterprises' well-being and their customer base. SMBs should take the following precautions in order to safeguard their brand and reassure their customers:

•  Keep confidential information private
Businesses that are serious about their customers' security should never ask their customers to divulge confidential information. They should also let their customers know that they will never proactively ask them for such information via e-mail.

•  Lock Web sites and e-mail communication
It goes without saying that customers want to make sure their information is secure when they deal with any business. Organizations have the opportunity to secure customer deals and clients' loyalty by taking proactive measure to ensure Web site and e-mail communications are completely secure and safe.

Several mechanisms are available today to promote customer security including smart cards for strong authentication on Web sites, enhanced DNS (Domain Name Server) to verify e-mail senders' server addresses, and digital signatures to confirm the identity of e-mail senders.

•  Maintain contact with customers
Take action by communicating proactively with customers. By posting regular messages on their Web site, businesses ensure their customers understand how they should expect to receive correspondence. It also gives customers information on how to contact the business if they come across any unusual or suspicious uses of that business's name.

•  Continue vigilance
Businesses who keep up-to-date on the Internet security threat landscape will have an advantage with their customer base. By exercising proper brand management and awareness, and staying updated of the latest security hazards, businesses can control the deceitful distribution of their corporate brand on the Internet and secure their customers' interest and loyalty.

Every business needs to stay abreast of their own security threats.

By continuing to monitor new phishing attacks and strategies, they can not only help their employees spot potentially devastating scams, but also reassure customers that they are making proactive efforts to ensure a safer online environment for transacting business.

These steps will gain customer loyalty, and earn businesses a reputation as a solid and secure business partner.

Ronnie Ng is manager of systems engineering at Symantec's Singapore office.

Editorial standards