What you can do about phishing?

The cranky user is one of my favorite IBM blogs. And this time Peter Steebach writes about phishing and how you can prevent phishing attacks.

I think phishing started with email scams but it can be done on a regular website too.
For those who don’t know, phishing

is the act of tricking someone into giving them confidential information or tricking them into doing something that they normally wouldn’t do or shouldn’t do.

Michigan.gov

Peter Steebach makes some notes on how to prevent these attacks:

  1. Make sure the email is coming from your domain address and your ip address. Don’t use any of these admin@ibm.phishingscam.xxx address.
  2. Don’t allow hotlinking so people can’t reuse your images from your website
  3. Inform the helpdesk or customer support they have to be carefull when advising people to click a link. Don’t assume the client is on your site, just because he/she tells you.
  4. Provide people with a secure way of contacting, a telephone number for example.
  5. Never ask customers to expose sensitive information: usernames and passwords. It is a bad habit
  6. Put some regex on the password to detect really bad passwords: 0123456789? that is a nice one you wont forget?
  7. Add a reply-to address pointing to an email address in your primary domain
The cranky user

The third point about helpdesk support is something I know and I believe an important one. You can’t provide a telephone number, if the guy answering the phone doesn’t know about phishing. So the first step is to inform these people.

The next step is to apply a simple rule “never ever trust a user”. I worked as an helpdeskagent and I still believe in this rule and I think every good helpdeskagent knows this rule. Not because users are stupid, but because they talk a different language and they have different objectives and goals. But that’s another post.

These are some good pointers but if you look at it, most of the problems come from the tension between security and usability. You can’t instruct people to remember their difficult password or ask them to double check every aspect of the email header everytime they get a suspicous email. You should try to avoid putting customers and visitors in a difficult situation.

Comments are closed.

Did you like it?
© 2003 - up to today