Anti-Phishing

Best Practices:
Keys to Aggressively and
Effectively Protecting
Your Organization from
Phishing Attacks

Prepared by
James Brooks, Senior Product Manager
Cyveillance, Inc.

Anti-Phishing Best Practices

Overview
Phishing is defined by the Financial Services
Technology Consortium (FSTC) as a broadly
launched social engineering attack in which an
electronic identity is misrepresented in an
attempt to trick individuals into revealing
personal credentials that can be used
fraudulently against them. In short, its online
fraud to the highest degree.
For criminals, phishing has become one of the
most common and most effective online scams.
The schemes are varied, typically involving
some combination of spoofed junk (spam)
email, malicious software (malware), and fake
Web pages to harvest personal information
from unwitting consumers.
Customers of well known and lesser-known
companies alike have fallen victim to this
pervasive form of online fraud. Western Union,
AOL, SunTrust, eBay, Amazon, PayPal,
EarthLink, and Citibank are just a few examples
of the many companies who have found
themselves and their customers persistent
victims of phishing attacks.

During the six-month period

ending February 28, 2006,
Cyveillance detected phishing
attacks against over 250 different
brands in eight different
industries across 13 countries.

Phishing attacks are growing at a torrid pace

the number of unique phishing websites
detected by APWG (Anti-Phishing Working
Group) in December 2005 alone exceeded
7,000 a huge increase in unique phishing sites
from the previous two months.
Phishing has a huge negative impact on
organizations revenues, customer relationships,
marketing efforts, and overall corporate image.

Phishing attacks can cost companies tens to

hundreds of thousands of dollars per attack in
fraud-related losses and personnel time. Even
worse, costs associated with the damage to brand
image and consumer confidence can run in the
millions of dollars.
The goal of any organization that is or may be
targeted by phishers is to prevent or minimize
the impact of phishing attacks. This can only
be achieved by the development and
implementation (using in-house or outsourced
resources) of a comprehensive phishing
protection and response plan. In all cases, the
plans success hinges on solid support and
ongoing communication throughout the entire
organization.
Key objectives of an effective phishing
protection and response plan should include:
Identification
of
the
appropriate
stakeholders and their responsibilities
clearly expressed
Compatibility with existing processes and
procedures. Your plan must work within the
daily operational flow of business.
Depending on the size your organization
and availability of resources, the best
decision may be to outsource.
Creation of an effective internal and
external communications process for the
organization
Creation of a solid phishing response
escalation path
Minimization or avoidance of negative
customer experiences. Preserving consumer
confidence in using online services is
crucial.
Reduction of financial losses associated
with online fraud
Proactive protection of your corporate
reputation
1

Anti-Phishing Best Practices

A phishing protection plan should focus on

four primary areas: Prevention, Detection,
Response, and Recovery.
High-level
recommendations for each of the four areas are
outlined in the following sections.

Prevention: Make Your

Organization a Tough Target
Phishing is not a technology-driven problem.
Phishing is first and foremost a human-driven
problem that leverages technology. Therefore,
phishers will attack trusted brands that provide
the least resistance, enabling the highest return
for their efforts. Your goal should be to make
your organization extremely difficult for
phishers to successfully mount an attack.
To achieve this degree of difficulty an organization
should follow all of the following steps:
Establish ownership and accountability
of the problem
All too often, an organizations first
reponse to a phishing attack is reactive and
knee-jerk. The attack and its consequences
become an organizational hot potato
with ambiguity surrounding what to do
next. Its crucial to identify a central
authority before youre attacked with
clear accountability for policy and action.
It will streamline communications, critical
in the throes of an attack. In addition, set
up the appropriate Emergency Response
Teams with clearly defined roles and
responsibilities. Youll also want to create a
Phishing Abuse Hotline or special inbox
for customers and employees to report
suspicious email messages.
Educate employees about phishing
Communicate early and often to your
employees about your efforts to combat
phishing. Make sure staff are well acquainted
with the correct policies and procedures to
use in the event of a phishing attack.

Educate customers about phishing

All your customer communications should
include clear messaging about phishing
prevention. Create corporate policies for
email content so that legitimate email
cannot be confused with phishing. This
includes emails, account statements, direct
marketing materials, etc. Be very clear with
your customers about the steps they
should take if theyve fallen victim to
phishing or identity theft. Finally, be sure
that your policies about phishing are
prominently
displayed
on
your
organizations primary website.
Follow good customer email practices
Dont get too clever with marketing tactics.
Use consistent email formats and practices
for customer communications. The use of
consistent email practices trains your
customers to know what to expect upon
receiving your email communications,
increasing the likelihood that the customer
will easily spot a fraudulent email.

Good email practices mean never

including requests for personal
information, attachments,
hyperlinks or link obfuscations.
Standard, consistent email
formats are best.

Conduct a thorough audit and inventory

of online assets
This includes Registered Domain Names
both live and parked, plus all websites with
their corresponding URLs that are owned
by or affiliated with your organization.
Having a complete, organization-wide
inventory of all registered domains allows
for fast identification of a newly registered
domain that may be used as part of a
phishing attack.
2

Anti-Phishing Best Practices

Stay abreast of all emerging trends and

technologies being deployed by
phishers to commit fraud. Particularly
today, the news is filled with the latest
phishing attacks on global corporations
large and small. Whats more, become
familiar with professional groups and
associations like APWG, the AntiPhishing
Working
Group
(www.antiphishing.org). In addition,
build an international network of
contacts in the legal, government, and
ISP communities. These resources will
help to identify the sources of phishing
attacks and get Web sites and accounts
shut down quickly. Many of these
attacks originate outside of the United
States, so its crucial to be prepared
with a global escalation matrix.

Detection: Speed is Everything

Detection is central to any phishing protection
and response plan. The speed of detection is
crucial in limiting the amount of fraud losses
caused by a phishing attack. Essentially, the
longer a phishing site is live (and unnoticed) the
more potential it has to cause damage. The steps
of detection are shown in the table below and
employ a number of strategies for detecting
phishing attacks from junk email (spam).
Fact is, the best protection from phishing is
vigilance. The APWG reports that typical
phishing sites are live for an average of 5 days,
with some staying live much longer. The sooner
a phishing site can be detected, the sooner it can
come down. Effective detection methods can
reduce the average phishing site takedown time
from days to hours.

Table 1: The Six Key Steps to Detection

Step 1

Obtain junk email from honey pot accounts.

Step 2

Use pre-sorted email feeds from Internet Service Providers

(ISPs) and anti-spam companies.

Step 3

Filter both internally received spam and externally

provided email feeds for attacks against your organization.

Step 4

Search the Web to identify any Web sites masquerading as

your organizations Web site.

Step 5

Continuously monitor the Internet for suspicious new

domain registrations and changes to existing domain
registrations.

Step 6

Provide 24x7 coverage of your organizations Fraud

Hotline and email inbox

Anti-Phishing Best Practices

Response:
Communication is Key
Your organizations response to a phishing
attack will ultimately determine the extent of
the damage caused by the attack. Obviously,
the faster a site is brought down the less
damage it can cause. How your organization
handles the phishing attack will directly impact
the effectiveness of the phishing site takedown
procedures. Steps to an effective response plan
are outlined below:
After a phishing site is detected and
confirmed, immediately initiate site
takedown procedures using your
internal staff or outsourced service
provider.
1. Assess the size and scope of the
phishing attack.

post an alert directly on your Web site

with a brief description of the attack.
Create a Phishing Site Summary Report
after the site is successfully taken down
this report will provide important
historical evidence for investigative
purposes.

Recovery:
Have the Process in Place
Recovery from a phishing attack can be
just as important as responding to the attack
itself. In this phase of your organizations
phishing protection and response you need
to focus on minimizing the impact of the
phishing attack. The steps to an effective
recovery plan are listed below:

2. Obtain information about the site and

the ISP hosting the site.

Once a site is shut down, work to gather

all forensic information as well as any
compromised customer data.

3. Contact the ISP to request the site to be

removedescalate to the ISPs local
authorities as needed.

Continue monitoring the site for at least

ten (10) days to ensure the site doesnt go
live again.

4. Maintain contact with the ISP until the

site is brought down and is no longer a
threat to your organization.

Have drafted press releases and company

statements prepared to address any
external inquires from customer or the
media regarding a phishing attack.

Contact the appropriate individuals based

on your organizations escalation
procedures.
Provide the URL of the detected phishing
site(s) to ISPs and security companies.
These companies use the URLs to block
and/or alert their subscription-based
members from gaining access to the
fraudulent sites.
Notify the appropriate legal authorities
to report the crime.
Alert your customers. The best way is to

Legal actions pursued by law

enforcement and commercial
organizations such as AOL and
Microsoft, coupled with
significant improvements in
investigative and forensics
technologies will drastically
increase the number of
successful phishing prosecutions.

Anti-Phishing Best Practices

Search the Web, message boards, and

chat rooms to locate and retrieve your
customers stolen credit card and debit
card numbers, login names and
passwords,
and
other
personal
information compromised from the
attack. The quick retrieval of this
information reduces the overall cost of
the phishing attack and significantly
improves customer attrition due to fraudrelated events.
Conduct a post-mortem on the attack to
identify areas for improvement.

Conclusion
Phishing is a problem that will be around for
the foreseeable future. Phishing schemes
continue to proliferate because they continue to
work, becoming more sophisticated and better
able to hide from detection.

About Cyveillance
Cyveillance provides online risk monitoring and
management solutions to Global 2000
organizations. The company comprehensively
monitors the Internet using patented
technology to deliver early warning of risks to
information, infrastructure and individuals.
Armed with this actionable intelligence and
Cyveillances immediate corrective response
capabilities, chief security officers can
proactively protect their companys reputation,
revenues and customer trust. Cyveillance
counts over half of the Fortune 50 and three
quarters of the top Fortune 500 companies in
the financial services, pharmaceutical, energy,
and technology industries as clients.
For more information, call 1.888.243.0097 or
info@cyveillance.com.

It makes good business sense to take a hard

look at your companys readiness, ascertain your
preparedness, and devise a solid, aggressive
plan to combat the problem of phishing.
Doing so is a win-win for the security
professional, the customer, and the business as
a whole.

1555 Wilson Boulevard

Suite 406
Arlington, VA 22209-2405

04/06
Copyright 2006 Cyveillance, Inc. All rights reserved. Cyveillance is a registered trademark of Cyveillance, Inc.
All other names are trademarks or registered trademarks of their respective owners.