Phishing: Don't Be Phooled By Phoney Emails

Phishing, the use of legitimate looking e-mails that attempt to trick people in to giving out personal information, is on the rise. It's not hard to see why. Rather than digging through mounds of data looking for credit card numbers, social security numbers, and bank account info, criminals can now just send e-mails to millions of people hoping that some will be tricked in to revealing their information. All it takes is a very small percentage of responses to make the e-mail work worth the effort.

Fortunately, consumers are taking notice of the media coverage and are more aware of phishing than ever. Corporations are also doing their part with educating end-users. The bad news is that 33% of these same consumers are shopping less online because of the threat of phishing. In the short-term, this may not be a concern, but if the trend continues, online retailers are going to have a real problem on their hands.

CIO magazine offers these 3 best practices to combat phishers and reduce the numbers of people tricked.

1. Use your website to educate customers about fraudulent sites.
2. Make it a policy not to ask customers for personal information via e-mail.
3. Have a process in place to take action against phishers when attacks occur, and to reassure customers.

I'll add one more to the list. Whenever corresponding with customers via e-mail, include a one-liner that re-iterates your company's policy that you will never ask for account information via e-mail. If customers see this message enough times then maybe they'll remember it the next time they're inclined to follow through on a request from a phishing e-mail.

As an end-user, I'd recommend the following:

1. If an “official looking” email has an attachment, don't open it. It's rare that companies would send attachments. Exceptions include order confirmations in the form of a PDF. If an attachment comes through as a zip file, that's a warning sign.
2. If there are links in the mail, hover your mouse over them before clicking. While hovering, look for information in the status bar about what the URL is. The URL should match what's being displayed.
3. Rather than click any link in the email, type in the URL yourself. This'll ensure you go to the office site rather than one set up by the spammer.
4. If there's ever any doubt, err on the side of caution. A real business trying to contact you about something important will try more than once so you'll eventually learn about false negatives.

For updated information, check out the Anti-Phishing Working Group's site. Yes, that link is safe to click on!