Don't Let Your Company Get Hooked by Phishing
On This Page
How Phishing Works
One way to hook a fish is to use a lure so realistic that the fish thinks it's food. Phishing on the Web works the same way. Thieves send an e-mail message or instant message that appears to come from a reputable company. It capitalizes on your employees' (or customers') trust of a respected brand by enticing them to click a link.
Clicking the link may take them to an equally convincing (and equally fake) Web page or pop-up window that's been set up to imitate the legitimate business, or they could be prompted to call a customer support number. Either way, they're asked to divulge sensitive personal information such as Social Security numbers, bank account or credit card numbers, passwords, or personal identification numbers (PINs) that can be used to access their accounts or steal their identity.
There's another possibility: clicking that link could plant spyware that can track every keystroke and steal sensitive information as it is typed. These "keystroke loggers" can watch for visits to banking, e-mail, and other online accounts and send passwords and account numbers to the crook.
Keep up with phishers' tricks. For the latest phishing schemes and statistics, visit the Anti-Phishing Working Group, an association dedicated to eliminating online fraud and identity theft.
How Phishing Can Hurt Your Business
Many small-business owners believe that they don't need to worry much about security. "After all," they reason, "who would want to target my business when there are so many bigger fish out there?" While it's true that small businesses are not directly attacked as often as larger ones, they do end up as part of larger attacks, such as efforts to harvest credit card numbers. And as security tightens at larger companies, small business networks look increasingly tempting. Also, it's not safe to assume that all attacks come from the outside.
Obviously any employees who get hooked by a phisher could put their financial status and credit, even their identities, at risk. But your company stands to lose even more. If cyberthieves use hacker technology to gain access to company networks through an employee's compromised computer, they could steal proprietary information such as customer and mailing lists, trade secrets, or other intellectual assets. Theft of your customers' confidential information could have a disastrous effect on your company and could damage the trust your customers place in your company and its good name.
How to Help Keep Your Company Off a Phisher's Hook
Given the potential for damage, it makes sense to take defensive action and do what you can to protect your company from a phishing assault. Here are four ways you can help protect your company.
1. Make sure the defenses of company computers are strong and up to date
You wouldn't leave your building unlocked at night; take the same kind of precautions with the security of company information. Luckily, securing your business is easier than you might think.
Lay the protective groundwork for a more secure network
| • | Protect your network and all the PCs on it with an Internet firewall. This is software or hardware (often integrated into the router or DSL or cable modem supplied by your ISP) that creates a protective barrier between your network and the Internet and can block potential intruders from gaining access. |
| • | Install antivirus software on all the computers on your network. |
Follow these step-by-step instructions to protect your company's desktops and laptops.
Keep your software up to date
Unfortunately, it's not enough to protect your system once. Phishers hope you haven't been applying the latest security measures so they can try to exploit vulnerabilities.
| • | Regularly download the latest anti-spyware and antivirus updates. Most programs can be set to scan your system automatically. |
| • | Keep Microsoft Windows and Microsoft Office current. Visit Microsoft Update to get the latest high-priority updates for Windows, Office, and other Microsoft programs. (Windows XP Service Pack 2 in particular prevents the display of fraudulent Web addresses, so you can verify the real source of the site you're visiting.) You can get the most critical updates without fail by turning on Automatic Updates for every company computer. |
Take seven basic steps to help improve the overall security of your business computer network. These strategies were created expressly for the small business owner—not for computer gurus—to address the major security threats your business may face.
2. Reduce your exposure to phishing
| • | Make it harder for spam to get through. Start by using filtering technologies to screen phishing e-mail messages before they reach your employees. For example, if you use Outlook 2003, you automatically get the advantages of Microsoft SmartScreen Technology without any additional cost. |
| • | Install a pop-up blocker such as the MSN Pop-up Guard or the one that comes with Windows XP Service Pack 2. With a pop-up blocker, your employees may never even see many of the pop-up windows that might be tied to a phishing attempt. |
Internet Explorer 7, to be released soon, will include Microsoft Phishing Filter, a feature designed to help detect phony phishing Web sites.
3. Don't act like a phisher
Make sure that e-mail messages sent to customers don't inadvertently give the wrong message and use the methods that phishers use—for example, criminals attempt to create a sense of urgency so you'll respond without thinking.
| • | Let your customers know that you will never send e-mail messages that request personal information via links to click, and make sure every employee follows through. Consider an approach similar to the example below.  You can teach your customers good protective behavior by modeling it in your communications. |
| • | Refrain from urging customers to take immediate action, another phishing tip-off. |
| • | Check every e-mail message for correct grammar and spelling before you send it. Such errors are common in a phishing message. |
4. Educate your employees about phishing
It's often extremely difficult even for experts to distinguish between a slick scam and an authentic e-mail message. You can learn to spot some warning signs of phishing, but the best protection is vigilance—and taking the following precautions.
Provide phishing education
To teach your employees about phishing, have them start with a test of their phishing IQ and suggest they check out how realistic a phishing scam can be. Then print the MSN brochure (PDF) How to Protect Yourself from Spam Scams for advice that includes what to do if you've been taken by a phisher.
Create a company policy on Internet use
Your company Internet policy should outline responsible use of the Internet. It should include information on when employees can browse the Web for personal use and should spell out what Web activity is not allowed. Get help creating an Internet use policy.
Never give personal information in an e-mail message, instant message, or pop-up window
Most businesses will not use these methods to ask for confidential information. Plus, these are not innately secure means of communicating. Be wary of clicking any link in an e-mail message, instant message, or pop-up window that asks for personal information. Doing so could take you to a phony Web site where any information you provide may be sent to a scam artist.
Suggest that employees who are unsure whether an e-mail message is legitimate call the phone number listed on the company's statement or in the phone book. To visit the Web site, type the address into the Address bar or use a Favorites bookmark.
If you're using MSN Hotmail, you'll notice a new alert (shown below) that will help you determine if you should be suspicious of a given e-mail message before you open it.
Sender ID checks the sender's e-mail address against the actual sending address to make sure senders are who they say they are.
Check for signs that the Web site protects sensitive data
Phishers can fake the Web address that your browser, such as Internet Explorer, displays. If you have even the slightest doubt about a site's legitimacy, play it safe and leave.
Before you provide financial or personal data on a Web site:
| • | Check for signs of data encryption, a security measure that helps protect sensitive data as it travels over the Internet. Look for https (s for secure) in the Web address |
| • | Double-click the padlock or key (which can be faked) to ensure that the "Issued by" name on the security certificate  |
and for a tiny closed padlock
or an unbroken key.
matches the name in the Web addressProvide phishing education.
For the latest phishing schemes and statistics, visit the Anti-Phishing Working Group, an association dedicated to eliminating online fraud and identity theft.
Related Links
| • | |
| • | Learn about phishing with phones |
| • | Read a plain-English intro to viruses and criminal hacking |
| • | Watch a Microsoft security team webcast: Phishing: Don't Get Hooked (You'll need to provide your name and e-mail address to watch the webcast). |