Friday 17 February 2006

What brand owners should do about phishing

If you're a bank, or other organization that's worried about having your brand spoofed in a phishing attack, first you need to detect the attacks, and then you need to act. Here are some of the things you can do:

  1. Receive complaints from consumers -- publish an email address for consumers to forward suspected phishing emails to. The abuse desk can reply to the consumer to confirm whether this was a legitimate message or a phishing attempt (e.g.,
  2. Run spamtraps -- publish email addresses for the sole purpose of receiving spam. Scan the incoming spam for phishing attempts on your brand.
  3. Detect remote image loading -- scan your web server logs for the telltale signs of your images being displayed in web sites that don't belong to you.
  4. Takedown -- get the phishing web sites removed from the Internet. Work with:
    1. The ISP responsible for the email sender
    2. The hosting company hosting the phishing website
    3. The domain registrar responsible for a bogus copycat domain (e.g.
  5. Block -- inform consumer protection services to protect consumers while the sites are still available. For example:
    • Google's anti-phishing toolbar
    • Cloudmark's anti-fraud toolbar
    • Microsoft's anti-phishing protection in IE7
If you're worried about your brand's vulnerability to phishing, contact me. I can help.

Tuesday 14 February 2006

RSA here we come

This week, I shaaall mostly be at the RSA Conference. Hanging out in the press room quite a bit of the time for Ferris Research, more's the pity. Do say hi.