Gone Phishin’…Be Back after System Failure

Phishing scams may seem like a consumer problem, but it can quickly become a company’s public image nightmare. What is it, and can you protect your customers from phishing?

Ever heard a customer tell you this story?

“Dear user,” the email read. “Due to inactivity, your account is set for cancellation, and you will lose your saved emails. Please go to our website and log in to keep your account current.” The email looked official, with your logo and the usual legal disclaimers. I clicked on the link, submitted my username and password, and…

BAM! I got phished. Within minutes, my email sent spam to everyone I know. My inbox filled with angry responses, my friends abandoned me, and I ended up going out in disguise so people won’t beat me up for being a sucker.

Hopefully, you’ve yet to hear such a complaint, but being phished can be a nightmare for clients and a liability for you. Phishing scammers are tireless in their pursuit of insufficiently skeptical people who can be fooled into parting with their credentials for their email accounts, bank and credit card accounts, and the like. And increasingly, companies are having a hard time protecting their customers from it. But why?

That’s a Mightily Tempting Lure

Just to get the basics out of the way, phishing (not to be confused with the similarly named band) is a hacking technique that uses phony emails and websites, posing as legitimate banks, payment services, government agencies, and more, in an attempt to fool people into providing their usernames and passwords.

If you think that most of your customers—especially people who work with computers all the time—have gotten wise to phishing scams, just know that the recent data breaches at retailers Target and Home Depot were both the result of phishing attacks. Smart people in IT were fooled into giving out credentials that gave hackers access to millions of credit card records. Bottom line: Phishing is still a large and growing problem.

Resistance Is Futile

And if that weren’t enough, hackers are getting more sophisticated. Many phishing emails are still crude approximations of legitimate provider emails, and are easy to spot (misspellings, emulating providers you have no account with, and so on). But some are startlingly close to the real thing, and if hackers have some information about you already, they can engage in “spear phishing,” which targets specific individuals.

If your website has user accounts—either for customers, or for administrative access to your site—you are a potential phishing target. What can you do?

The sad truth is, not much.

Much of the onus for stopping phishing attacks relies on users recognizing phishing emails, but as the hackers’ sophistication increases, the reliability of this approach goes way down. Browsers and email clients have code that attempts to recognize phishing emails and phony websites, but they are not always reliable either, and they seem to always be a step behind the hackers.

3 Ways to Make Phishing More Difficult

There are some techniques that you can implement on your site to reduce the threat of phishing.

  1. Many banks and similar sites require users to select an image that appears when the user submits his or her username; the user enters the password only on confirming that the image presented is the correct one.
  2. Other sites go a step further, requiring users to select not just one image but a category of images; the image for the category “dogs” may be a Belgian shepherd for one visit and a standard poodle the next. Still, these techniques rely to some degree on user education; users have to know that there is only one way to log in to the site, and there are no “special” log-in pages (without the images) as might be implied by the phishing email.
  3. Get smarter customers. Okay, maybe that came off wrong. How about, educate your customers. Most financial institutions make it very clear that they’ll never ask for a user’s password over the phone or via an email. Often, that includes not providing links to login pages. Adopt a similar policy and include a mention of that policy in each email you provide. A phishing email will be hard-pressed to look just like one you send, all the while including both the disclaimer and a link that contradicts the disclaimer.
  4. While you’re at it, why not make it clear that all login pages always have the same domain name as your site? Most phishing emails rely on sending a person to a domain name that looks similar to the original (WelsFurgo.com, anyone?).

Ultimately, phishing exploits human weaknesses, such as fear and greed. As long as those persist, phishers will find success. Technical solutions may work but will never be 100 percent reliable, and even the best ones are good only until phishers find a way around them.

The best thing you can do is educate yourself and others. If it’s too good to be true (no one is going to send you $17,000 out of the blue) or doesn’t make sense (your account is active; you used it yesterday), or something is not quite right, it should be treated as a phishing attack until proven otherwise, through other communication channels.

If it seems…phishy (sorry!), it probably is.