Fighting back

How companies are responding and what users should know.

While automated phishing attacks are on the rise, phishes that still use e-mail and instant message lures and fake logon sites still abound. Below is an update about how companies are responding and what users should be aware of.

CLOSED E-MAIL: Two years ago, eBay started sending restricted e-mail to its customers. Last year, financial services began following suit. For example, Wachovia now uses a closed, authenticated e-mail system as its only way to message customers. And eBay uses its internal "my messages" mail to educate consumers by putting security messages around the frames, an eBay spokeswoman says.

EDUCATION: In addition to "practicing safe computing" by not clicking links and staying away from questionable Web sites, users should now update their security tools everyday. And they shouldn't trust the little closed SSL locks anymore. NetCraft researchers found forged SSL certificates in 450 separate phish sites last year. Users need to also be wary of any solicitations, not just from eBay and financial services. Last year, phishers forged brands from the Internal Revenue Service, the Internet Crime Complaint Center, numerous security vendors and several authoritative, nonfinancial companies.

ENFORCEMENT: Microsoft, spearheading Digital PhishNet, took down 4,744 phishing sites in 2005 and filed 117 lawsuits against phishers. In February, Microsoft announced the Global Phishing Enforcement Initiative, which will coordinate efforts in monitoring for domain offenses, phish takedowns, partnerships with law enforcement and worldwide investigations. In March, Castlecops and Sunbelt Software announced the Phishing Incident Reporting and Termination Squad to focus solely on terminating phish sites.

IDENTITY SERVICES: Some organizations are taking the unusual step of buying proactive identity-protection services for their employees, says Todd Davis, CEO of LifeLock. "Fifty-one percent of identity theft occurs in the workplace. It takes an employee on average 177 hours to reclaim an identity," Davis says. "For $70 per year per employee, businesses realize this is a good investment to keep their employees productive."

SPAM: Service providers have made improvements at filtering spam and authenticating e-mail through adoption of the Sender Policy Framework and Sender ID. Symantec reported a 13% reduction in spam mail last year, from 63% of all traffic in 2004 to 50% in 2005.

TOOLBARS: Microsoft announced Phishing Filter and SmartScreen e-mail scanner and browser toolbar that scan URLs against blacklists in Microsoft browsers and e-mail services and programs. They also look for basic indicators of a phish, such as addresses that don't resolve correctly. Other popular toolbars: NetCraft and eBay.

Return to main phishing story

Learn more about this topic

New sites let users find and report phishing


Coalition recommends new tools to battle phishing


IronPort appliance blocks Web-based threats, including spyware, viruses, keyloggers and ...


Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2006 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)