Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Latest ESET whitepaper focuses on Phishing

ESET : 23 August, 2007  (Technical Article)
Phishing whitepaper details background of prolific internet fraud technique and what corporations can do to prevent it.
ESET has announced its latest whitepaper "A Pretty Kettle of Phish", which looks at how one of the most popular tactics used by criminals today has developed, and what organisations and individuals can do to protect themselves.

The whitepaper's authors, Andrew Lee and David Harley, note that phishing gangs now operate a complex infrastructure that closely resembles any other supply and demand economy, with different departments responsible for all aspects of the business. This includes the completion of the phishing economy cycle through the purchase of legitimate goods with stolen credit cards and selling them on through spam emails. One manifestation of these money laundering activities is the mule solicitation emails that offer "financial management" jobs, which are nothing more than receiving money and passing on further up the chain, after taking a percentage as commission.

The authors highlight that bad practice by legitimate organisations, such as unnecessary URL redirects to completely different domains, adds to user confusion and plays into the hands of criminals. In addition, the white paper points out that phishing quizzes, often used to educate users, can be inadequate or misleading in their attempt to point out what should be considered as 'suspicious'; bewildering users further.

"Too often in security we see a problem exacerbated by well-meant, but ill-founded advice from a wide range of sources," says Andrew Lee CRO of ESET and co-author of the whitepaper. "There is still confusion in abundance about the nature of phishing, but correct user education can be a great defence. Protecting individual employees against phishing may not come under the label of duty of care, but helping to prevent it allows companies to avoid the complications that can ensue when an employee is defrauded."

As the whitepaper concludes, there is no better defence against a threat founded on social engineering and psychological manipulation than the dispelling of ignorance.

In addition, hints and useful references are given throughout the whitepaper to help further education. Although they do not guarantee to prevent a user from becoming a victim, following them will help to reduce the risk.

Top tips include:.

* Create an email address for each specific banking account eg: mybankingemail Use that address exclusively for that activity, never publishing it anywhere or using it to send email. This will provide an easy way of checking that it was sent to you at a correct address. If it is not used in correspondence, regard the email as highly suspicious.

* Don't be intimidated by message headers, learn to read the basics. If the mail is not addressed to anyone it was blind copied to you and many others, do not trust it. If is just addressed to 'customer' and contains sensitive information such as banking data, it suggests an inappropriate lack of personalisation.

* If you receive an email and you do have an account with the institution, but the message is not addressed using your own name or a specific identifier such as a verifiable account number, regard it as highly suspicious. If the identifier is your email address, that is still suspicious. It is trivial to insert the email address into the message. Assume that it is not genuine.

* Even when an email looks genuine, do not click on embedded URLs. If a relationship with the organisation exists you should already have a standard login procedure, use that. If you need to contact them by phone, avoid using phone numbers included in the message. Just as web sites can be spoofed, so can telephone numbers.

* Often phishing emails are sent with the notice that urgent resolution is required. There really isn't any reason you should need to respond to a request within 24hrs - even utility companies give you seven days notice before they cut you off. It also works to the advantage of the phisher, who often needs an urgent response before law enforcement and other countermeasures are put into place. Just hit the delete key.

The whitepaper is available to download from the ESET web site.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo