This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.
"Phishing, you say? Well, that's not my problem."
The Chief Information Security Officer of a well-known establishment said this in a meeting with our company's security manager. However, enterprises or all organisations have to start recognising that phishing is their problem and could be a costly one to ignore. Although efforts to help customers and employees learn how to self-protect and not become victims of deception are important, they are not nearly enough.
In late July, a user of HSBC's e-banking service reported a scam email offering free credit card verification service that led her to a phony website and instructed her to log in. In less than a month, a Hong Kong-based website claimed to be the official site of luxury brand Tiffany & Co. in order to steal shoppers' personal information, including credit card data.
These fraudulent websites aim at tricking unsuspecting users into volunteering information. According to a Google study about hijackings last year, 45 percent of Internet users still fall for the best phishing scams and have their accounts hacked within 30 minutes. Earlier this year, Hong Kong lawmaker and former security minister Regina Ip revealed that HK$500,000 was transferred from her bank account after she opened an attachment on an email appearing to come from her friend. That was a classic example of phishing. And, according to Google, even the least successful of phishing scams have success rates of around 3 percent, which can be disastrous when targeting millions with phishing emails.
While key-logging, form-grabbing and other spyware are commonly used tactics, there is an increase use of fake phishing websites designed to look like legitimate log-in pages. The "Hong Kong Security Watch Report", published by Hong Kong Computer Emergency Response Team Coordination Centre, indicates that in Q2 2015, the number of phishing events increased dramatically by 168 percent to a record-high 7,836.
Supplemented by email or social media lures, phishing tactics have become a weapon of choice by many attackers and are also used to deploy malware packages to not only gather valuable information, but also to ensure the success of larger exploits by controlling devices, evading detection, gaining access to protected information and assets, and executing a transaction or full attack on a specific application.
As a result, guarding against phishing threats should be an area of focus for companies, institutions and agencies alike. To improve an organisation's overall security posture and to protect against phishing threats and credential theft, here are four best practices:
- Obfuscate form fields: Slow the progress of attackers by obscuring form fields on Internet facing login pages and other forms where users input confidential information, making such fields ambiguous or unknown to attackers
- Encrypt information at rest in the browser: Protect information while users type within form fields, even before information is submitted then transmitted via SSL
- Protect against client-side malware: Identify at-risk devices that have been unlocked, are considered vulnerable or which contain malware
- Identify phishing sites before emails go out: Be informed when the organisation's official website has been copied, uploaded to spoofed host servers, and when the customers have fallen victim to related phishing lures.
Sign up for Computerworld eNewsletters.