Updated: March 11, 2004
Phishing: Don’t Get Hooked: The Checklist
UPDATE: The Windows Application Compatibility Toolkit (ACT) 4.0 referred to in the March Security360 Progress Update has been released! For more information and to download the new ACT 4.0, visit http://www.microsoft.com/windows/appcompatibility/default.mspx
1. Implement security protections to reduce the vectors of attack.
| • | Have a strategy to reduce spam. Start by implementing filtering technologies at multiple layers of the network—the gateway, the e-mail server, and the desktop client—to stop phishing e-mails before they reach your users. For example, utilize the Smart Screen technology found in Exchange Server 2003 and in Outlook 2003. Smart Screen is one of the technologies used to block over 3 billion unwanted e-mail messages per day in e-mail services such as Hotmail. You may also want to use the filtering capabilities in ISA Server 2004. |
| • | Use the pop-up blocker in Windows XP Service Pack 2 to protect users from phishing attempts through the browser. Windows XP Service Pack 2 also prevents the display of fraudulent URLs in the address bar, allowing users to verify the real source of the site they are visiting. |
| • | Publish your Sender Policy Framework record for the Sender ID Framework check. Sender ID checks the authenticity of domain servers to protect against spoofed or forged e-mail messages, a leading source of phishing scams. To learn more about this, visit http://www.microsoft.com/senderid. |
| • | Consider implementing Internet Explorer Zone Management features within Active Directory. This gives you greater control over content from external or untrusted Web sites. |
Of course, you should always make sure that anti-virus and desktop firewall software is installed on all the computers in your network and that the network is protected by an Internet firewall.
2. In your organization, create, communicate, and enforce an Acceptable Use Policy. An Acceptable Use Policy provides guidelines for responsible use of the Internet, company e-mail, and other work-related technical resources.
| • | Tell your employees to avoid untrusted Web sites. You can use technologies such as ISA Server 2004 and partner solutions such as SurfControl to enforce this policy. |
| • | Educate employees about the dangers of opening e-mail messages and attachments from people they do not know. If you use Outlook, you can also encourage your employees to create Safelists to block messages from unknown senders and domains. |
3. Educate your customers and employees about safeguarding personal information. Advise them to take the following precautions:
| • | Never respond to requests for personal information through e-mail or in a pop-up window. If in doubt, call the institution that claims to be the source of the e-mail or pop-up window. |
| • | Do not use links in e-mail to visit Web sites; type the URL into your address bar. |
| • | Always make sure a Web site is using encryption before you provide financial or personal information. |
| • | Routinely review your credit card and bank statements. |
| • | Report suspected abuses of your personal information to the proper authorities. |
4. Implement a reporting facility.
| • | Join the Phish Report Network at http://www.phishreport.net |
| • | Encourage your users to submit suspicious e-mail messages for evaluation. |
5. Support industry self-regulation. Phishing cannot be stopped without industry cooperation.
| • | Become active in the Anti-Phishing Working Group. http://antiphishing.org |
| • | Work with government officials to develop effective legislation and policy. |
Related Resources
| • | WholeSecurity
Get more information about anti-phishing technology
|
| • | RSA Security
Understand how your organization can help combat Identity Theft.
|
