Phishing, pronounced “fishing,” is a scam where Internet fraudsters send email spam or pop-up messages (i.e., crimeware) to lure personal and financial information from unsuspecting victims. The email or message directs the user to visit a website where they are asked to update personal information, such as passwords and credit card information, Social Security Numbers, and bank account numbers, that the legitimate organization already has. The website, however, is bogus and set up only to steal the user’s information.
Recently, fraudsters have increased their phishing activities dramatically. The anti-phishing working group (APWG), a consortium of Internet service providers, security vendors, financial institutions, and law enforcement agencies, reports that the number of sites infecting PCs with password stealing crimeware reached an all-time high of 31,173 in December 2008, an 827 percent increase from January 2008.
The U.S. Department of the Treasury has worked with businesses that have been victimized to identify measures to prevent, detect, and respond to phishing attacks. These measures are summarized below.
Measures to prevent falling victim to phishing
- Personalize emails to consumers so that they are assured of their legitimacy.
- Keep website certificates up-to-date so that consumers are assured of the site’s legitimacy.
- Remind consumers to obtain and use the latest patch for their web browser and/or operating system software.
- Provide on websites a domestic telephone number for consumers to call to verify email requests for information.
- Register domain names that are similar to that of the firm’s so that consumers do not confuse them with the legitimate website.
- Establish a trademark for the domain name of the firm. Under the anti-cyber-squatting consumer protection act (ACPA) a firm may be able to initiate immediate action in federal district court against a suspicious website to protect the firm’s trademark.
Measures to detect phishing attacks
- Monitor the use of trademarks and key content by suspicious users on the Internet.
- Monitor the Internet for fraudulent variations of the firm’s name, trademark, seal, or website address.
- Instruct call center employees to identify and notify management of reports of suspicious emails.
Measures to respond to phishing
- Promptly post a prominent alert describing the incident on the firm’s website.
- Contact consumers by email or postal mail warning them not to respond to suspicious emails. Remind consumers of the firm’s official policy of not soliciting sensitive information through emails.
- Alert staff and third-party vendors of an attack and ask that they watch out for unusual activity.
- Advise those consumers who have fallen victim to the attack to change their passwords and report the attack to the Federal Trade Commission (FTC).
- Contact the Internet Service Provider (ISP) hosting the illegitimate website and ask that the illegitimate site be shut down. Ask the ISP to disclose the identity of the owner of the illegitimate website.
- Contact a law enforcement agency, such as the field offices of the U.S. Secret Service or the Federal Bureau of Investigation (FBI) to pursue a subpoena or other appropriate remedy to identify the owner of the illegitimate website.
- Forward any phishing email to the FTC or file a complaint on the identity theft website of the FTC.
- Report the phishing attack to the Internet Crime Complaint Center, a partnership between the FBI, the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA).
171-0914 (1/14) LC 10-185H