Phishing Can Hook Any Business
Your business spends a great deal of time and effort preserving brand integrity and keeping your customers satisfied. But there's an insidious Internet crime that can ruin your company's goodwill and cost you a fortune.
The fraud is called "phishing" and it's committed by technologically savvy criminals who defraud people using legitimate companies' trusted names and images.
Here's how phishing typically works: A spammer sends out e-mail messages that recipients believe are from specific, trusted companies. The messages direct customers to a "ghost" or phony website that resembles the company's real site. There, the customers are asked to provide confidential financial information, such as a Social Security number, password or e-mail address.
Criminals use the information to commit credit card fraud or identity theft. In some cases, messages are sent promoting pornography or adult services.
Phishing can involve trademark and other intellectual property violations. It can also lead to two scenarios that strain a valid company's customers, employees and technology systems:
Customers who trust the company open the messages and get ripped off. Without the right response, they will be left with a bad feeling about your business.
Customers who fear becoming victims of fraud ignore legitimate messages from your company, causing you to lose business.
Phishing fraudsters prey on all types of businesses, from small firms to large, well-known corporations. Initially these crimes sprung from the use of "open relay" or "open proxy" servers that let spammers send anonymous, nearly untraceable e-mail messages. Lists of loosely-managed or insecure proxy servers are available online, along with tools for locating them.
Criminals use the servers to forward large numbers of e-mail messages to recipients. An open proxy server not only forwards the messages, but also inserts its own Internet address in place of the original source information, effectively covering the spammer's tracks.
Companies have sued spammers and won, but the cases generally take a year or longer before coming to trial because of a lengthy discovery process and the tendency of cybercriminals to change Internet companies and addresses every couple of days.
Your business needs to proactively fight phishing. Here are some of the steps experts recommend taking:
Notify customers and employees that any e-mail asking for personal information is suspicious and should be reported immediately to a security contact at your company. Websites should not ask to verify or update confidential information via e-mail.
Urge customers and employees not to open e-mail or visit the websites mentioned if they receive suspicious messages. Just visiting some sites can trigger the automatic download of a virus or Trojan horse program that allows the spammer to control a computer remotely.
Monitor Internet and spam security information resources.
Install filtering systems that stop unwanted or dangerous messages before they hit your corporate network.
Tighten registration procedures for your customers.
Design e-mail in ways that cannot easily be replicated.
Inspect every server and close any open relays.
Tell technology staff members to look for bounces of e-mail messages that were not sent by your company and to keep an eye out for customer complaints.
Make it known you'll prosecute. Have a dedicated e-mail address posted on your site for reports of abuse.
In the event of a phishing attack, good PR is the first line of defense. Have an auto-reply form letter ready notifying customers and employees of the fraud. Acknowledge the problem and clean up the mess. Phishing may not go away, but you can be prepared to deal with it in ways that protect your brand and your customers.