| ||||||
Search Microsoft.com for: |
Don't Let Your Company Get Hooked by PhishingPublished: July 27, 2005 On This PageHow Phishing WorksOne way to hook a fish is to use a lure so realistic that the fish thinks it's food. Phishing on the Web works the same way. Thieves send an e-mail message or instant message that appears to come from a reputable company. It capitalizes on your employees' (or customers') trust of a respected brand by enticing them to click a link. Clicking the link may take them to an equally convincing (and equally fake) Web page or pop-up window that's been set up to imitate the legitimate business, or they could be prompted to call a customer support number. Either way, they're asked to divulge sensitive personal information such as Social Security numbers, bank account or credit card numbers, passwords, or personal identification numbers (PINs) that can be used to access their accounts or steal their identity. There's another possibility: clicking that link could plant spyware that can track every keystroke and steal sensitive information as it is typed. These "keystroke loggers" can watch for visits to banking, e-mail, and other online accounts and send passwords and account numbers to the crook. Keep up with phishers' tricks. For the latest phishing schemes and statistics, visit the Anti-Phishing Working Group, an association dedicated to eliminating online fraud and identity theft. How Phishing Can Hurt Your BusinessMany small-business owners believe that they don't need to worry much about security. "After all," they reason, "who would want to target my business when there are so many bigger fish out there?" While it's true that small businesses are not directly attacked as often as larger ones, they do end up as part of larger attacks, such as efforts to harvest credit card numbers. And as security tightens at larger companies, small business networks look increasingly tempting. Also, it's not safe to assume that all attacks come from the outside. Obviously any employees who get hooked by a phisher could put their financial status and credit, even their identities, at risk. But your company stands to lose even more. If cyberthieves use hacker technology to gain access to company networks through an employee's compromised computer, they could steal proprietary information such as customer and mailing lists, trade secrets, or other intellectual assets. Theft of your customers' confidential information could have a disastrous effect on your company and could damage the trust your customers place in your company and its good name. How to Help Keep Your Company Off a Phisher's HookGiven the potential for damage, it makes sense to take defensive action and do what you can to protect your company from a phishing assault. Here are four ways you can help protect your company. 1. Make sure the defenses of company computers are strong and up to dateYou wouldn't leave your building unlocked at night; take the same kind of precautions with the security of company information. Luckily, securing your business is easier than you might think. Lay the protective groundwork for a more secure network
Follow these step-by-step instructions to protect your company's desktops and laptops. Keep your software up to date Unfortunately, it's not enough to protect your system once. Phishers hope you haven't been applying the latest security measures so they can try to exploit vulnerabilities.
Take seven basic steps to help improve the overall security of your business computer network. These strategies were created expressly for the small business owner—not for computer gurus—to address the major security threats your business may face. 2. Reduce your exposure to phishing
Internet Explorer 7, to be released soon, will include Microsoft Phishing Filter, a feature designed to help detect phony phishing Web sites. 3. Don't act like a phisherMake sure that e-mail messages sent to customers don't inadvertently give the wrong message and use the methods that phishers use—for example, criminals attempt to create a sense of urgency so you'll respond without thinking.
4. Educate your employees about phishingIt's often extremely difficult even for experts to distinguish between a slick scam and an authentic e-mail message. You can learn to spot some warning signs of phishing, but the best protection is vigilance—and taking the following precautions. Provide phishing education To teach your employees about phishing, have them start with a test of their phishing IQ and suggest they check out how realistic a phishing scam can be. Then print the MSN brochure (PDF) How to Protect Yourself from Spam Scams for advice that includes what to do if you've been taken by a phisher. Create a company policy on Internet use Your company Internet policy should outline responsible use of the Internet. It should include information on when employees can browse the Web for personal use and should spell out what Web activity is not allowed. Get help creating an Internet use policy. Never give personal information in an e-mail message, instant message, or pop-up window Most businesses will not use these methods to ask for confidential information. Plus, these are not innately secure means of communicating. Be wary of clicking any link in an e-mail message, instant message, or pop-up window that asks for personal information. Doing so could take you to a phony Web site where any information you provide may be sent to a scam artist. Suggest that employees who are unsure whether an e-mail message is legitimate call the phone number listed on the company's statement or in the phone book. To visit the Web site, type the address into the Address bar or use a Favorites bookmark. If you're using MSN Hotmail, you'll notice a new alert (shown below) that will help you determine if you should be suspicious of a given e-mail message before you open it. Sender ID checks the sender's e-mail address against the actual sending address to make sure senders are who they say they are. Check for signs that the Web site protects sensitive data Phishers can fake the Web address that your browser, such as Internet Explorer, displays. If you have even the slightest doubt about a site's legitimacy, play it safe and leave. Before you provide financial or personal data on a Web site:
Provide phishing education. For the latest phishing schemes and statistics, visit the Anti-Phishing Working Group, an association dedicated to eliminating online fraud and identity theft. Related Links
|