Phishing: How to Keep Your Business from Biting

How Do Hackers Find My Network?

What makes your business ripe for hackers to attack? Jimmy Ray Purser discusses what hackers look for when they are out target trolling. (1:55 min)

Viewing this embedded video requires the latest version of Adobe Flash Player with JavaScript enabled.

Get the Flash Player

How Do Hackers Find My Network?

What makes your business ripe for hackers to attack? Jimmy Ray Purser discusses what hackers look for when they are out target trolling. (1:55 min)

The email from an overnight shipping company looked legitimate, so the employee clicked the link to find out about an undeliverable package.

"Only after his PC crashed did our customer realize he had fallen victim to a phishing attack, possibly intended to hijack his PC," says Tina Williams, vice president of operations for Technical Consulting Group America, a Cisco Select Certified Partner.

Phishing, or fraudulent attempts to acquire passwords and financial information by masquerading as a trusted organization, is on the rise. According to the Anti-Phishing Working Group (APWG), the number of websites worldwide that infect PCs with password-stealing code more than tripled between 2007 and 2008.

The costs? Identity theft, denial of service, and infections that capture login credentials, steal contact lists, trash files, and send spam in your name. Gartner, Inc. estimates that U.S. residents lost $3.2 billion to phishing in 2007.

One Phish, Two Phish; Red Phish, Blue Phish

Most phishing attacks are carried out by luring victims to click a link that is in an email or posted to a social networking site, according to Chris Bock, presales engineer for ESI, a Cisco Gold Certified Partner whose specializations include Advanced Security. Victims are taken to a website where they divulge their passwords or payment card information.

"Other phishing websites install a key logger, screen scraper, or screen recorder on your computer," Bock says. New man-in-the-middle phishing attacks fool routers into redirecting data to an eavesdropper's network, without the victim ever knowing.

A Multilayered Defense

You can protect your business against phishing by using the following combination of social engineering and client-based and network-based solutions:

  • Educate employees. Teach them that they can damage the company network by opening attachments that look suspicious or are from someone they don't know.
  • Filter email and URLs. "Stopping phishing attacks at the network perimeter instead of waiting until they get to the desktop is more effective; it also saves bandwidth," says Williams. Small companies can use a router with a subscription service that blocks employees from landing on websites with sketchy reputations. An example for companies with fewer than 20 employees is the Trend Micro ProtectLink Gateway security service, which runs on specific Linksys by Cisco routers. "Companies with more employees will probably want a purpose-built appliance like the IronPort Blocker, which can handle more volume," Bock says.
  • Monitor for suspicious network activity. An intrusion prevention system (IPS) can protect critical servers from other forms of phishing, "like someone trying to intercept a DNS request so that they can impersonate a legitimate site," says Anton Kapela, network director for 5Nines Data, a Cisco Select Certified Partner with an SMB Specialization. An example is the Cisco Advanced Inspection and Prevention Security Services Module (AIP-SSM) for Cisco ASA 5500 Series Adaptive Security Appliances. "An IPS looks for bad behavior typical of malware, such as opening up too many connections per second or sending an email with thousands of recipients," says Kapela.
  • Don't forget the desktop: Strong browsers, such as Mozilla Firefox and Google Chrome, check websites against known blacklists and warn users. And if a threat slips by, Cisco Security Agent desktop software can detect and stop phishing activities such as keystroke logging. But experts warn that browser-based protection is not enough. "The browser can't look inside encrypted traffic like an IPS can," Kapela says. "And on password-protected sites, the browser has no way of knowing that pages past the sign-in pages are dangerous."

If It's Phishy, Don't Bite

The employer of the hapless gentleman who opened the spoofed email from the overnight shipping company now takes stronger precautions against phishing. You can, too, using the multiple defenses described in this article to keep your business from biting on phishers' bait. Kapela concludes, "A layered security approach always beats a one-pronged approach."

Next Steps

Find a Local Reseller

City/State/Zip:

Country:

Business Heroes

Get innovative business insights and share your ideas, visit the business advice blog, "Business Heroes".

Visit blog