Which is the best method to protect my customers from phishing attacks?
- Have strong authentication mechanisms like Hardware Tokens, E-mail Signing etc.
- Include personalized web pages to make it hard to impersonate the site
- Creating awareness among customers about phishing
The best answer to the quiz is 3) Creating awareness among customers about phishing.
Phishing is a type of attack wherein the attacker impersonates a valid site and steals sensitive information entered by the customer on the fake site. The attacker sends the victim a forged e-mail having the link of a fake page. The fake page looks exactly like a valid page of the original site. These e-mails have upsetting or exciting (but false) statements to get the customer to react immediately. When the customer clicks the link, he is asked to provide his credentials to login and update his personal information. This reveals important information to the attackers.
One other technique employed is man-in-the-middle attack. In this the attacker acts as a live proxy between the customer and the real site and intercepts all requests. The information obtained can be used by the attacker for transacting with actual site whereas the victim transacts with the fake site.
Option 1, having stronger authentication mechanism, requires a lot of changes in existing applications. Token based authentication needs a high setup and maintenance cost. Scalability also is an issue. Similar issues exist for e-mail signing, and not all web based mail clients support them. Furthermore recipient may not check certificate revocation status.
Option 2 , having personalized web pages, makes phishing attacks difficult but does not prevent them. Personalized web pages hold no good in case of man-in-middle type of phishing attack.
The best way to prevent phishing attacks is Option 3 - creating customer awareness. Some important points that need to be communicated to the customers include the following:
- Organizations should constantly remind their customers that they will never request for sensitive information via e-mails. Moreover all email communications should address the customer by first and last name.
- Customers need to be educated not to click on URL of critical website (e.g. Internet banking website) that comes via email but visit these websites by directly typing the address in the browser.
- Customers should be educated on identifying secure websites, like https in URL or 'Lock' icon, before submitting username, password, credit card number and other sensitive information.
- Customers should be educated about choosing strong passwords and the importance of changing them regularly.
- Customers should be educated to be suspicious of any e-mail with urgent request for personal information.
- Customers should be provided with easy methods to report phishing incidents.