Less effective, but still valuable methods include
- Do not mass e-mail your customer base with web links directed to your site or any other website. Doing so teaches your customer base to accept web link opening, and to assume trust. This will open you up for Phishing attacks in the future.
- Do not use your authentication credentials, or other Non-public personal information to authenticate your customer base. (e.g. ATM Pin or Social Security numbers used as the password for your online web portal.)
- Log information such as IP address, location information, and computer finger prints to uniquely track any device accessing changing customers data online.
- Be sure to report all incidents of fraud to a law-enforcement agency so that the data can be correlated with other attacks for attack and incident pattern matches.
- Anti-Phishing Software: Applications that attempt to identify Phishing content in both e-mail and web sites usually integrates with Web Browsers and e-mail clients, in the form of a toolbar that displays the real domain name of the website the viewer is about to visit or is currently visiting in an attempt to prevent fraudulent activity. Several software options exist as either as a built in software feature or a plug-in for both Firefox and Internet Explorer.
- User Education One of the best strategies to combat Phishing is to educate your users of current and all new phishing attack methods, make them knowledgeable on what to do in the event of a phishing attack. Educate your users who are contacted about customer’s accounts. Educate your customers that they should contact your Hotline in the event they are asked for any personal information. Users should be told to type the direct URL of your web portal in to the address bar every time they visit your site to reduce the risk of following a fraudulent link, especially when asked via e-mail.
- Two Factor / Two way authentication: While no one prevention method is totally infallible another preferred technological method used to prevent phishing and other types of comprises is the implementation of verification tools such as secret images, and or challenge questions. Secret Images works by having a user select one or more images in advance. The images is only known to the customer and the authenticator, the process works by showing this images to the end user, the end user should be instructed that when this image is not present the site is NOT legitimate and to contact a customer service rep as soon as possible. Challenge Questions work by having a user select multiple secret questions in advance, that only the customer and the authenticator are aware of. When authenticating the users are then challenged and respond with the predefined answers.
b.2 References:
AntiPhishing Working Group
http://www.antiphishing.org/
gonephishing.pdf
VoIP Phishing Scams
