Just in case you've been out of the country for the last 12 months, a new scourge is hitting the Internet and the world of email and it's called phishing. The Anti-Phishing Working Group defines phishing as identity theft "attacks using 'spoofed' e-mails and fraudulent Web sites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords..."
According to various experts, the incidents of phishing are rising at an alarming rate: there were 13,000 unique phishing attacks in January alone - that's a 42 percent surge over the previous month.
The real problem is that phishing works. Some of the sharpest folks I know have accidentally provided their personal information to a credible-looking website claiming to be eBay, Citibank, etc. In fact, 64 corporate brands were used in phishing attacks in January.
So, if you are a large, well branded company, how do you prevent this from happening to you and your customers? The bad news is that there are no obvious or easy answers. A recent article from Forbes talks about legislation that's working its way through congress but, like CAN-SPAM, it is, at best, only a partial solution.
Fortunately, as consumers, there's quite a bit we can do. Great email filter products like MailFrontier offer some protection. Browser plug-ins will help catch fraudulent sites by comparing URLs to known lists of bad guys. Various popular email programs are releasing new versions that will help call out and prevent some of the more popular tricks being used by phishers today.
The bad news is that, as senders, there's not as much you can do.
Here's a quick list of ideas I've compiled from various sources on the topic:
Educate your customers/recipients - of course, this will only go so far.
Alternate channels - new protocols like RSS largely solve the problems of phishing but very few consumers are currently using RSS readers, so this solution is still somewhat in the future.
Personalize your messages - show the recipient that you know more than their email address. Ideally, ask them for a "secret phrase" when they register and then make sure they know that you'll use it in every email you send them - they should closely scrutinize any emails without that phrase.
Allow confirmation codes on your home page - set up your home page with a simple text input. Users can type in a code embedded in emails at your home page and get a confirmation that the message or the site in the message is valid. This requires some help from IT but it makes it easy for users to check the validity of any message they are concerned about.
Don't leave any open re-directs on your Web site - these can be used to make a site LOOK like yours even though it doesn't. eBay fell prey to this recently so it can happen to the savviest companies. Have the phishers invented any new tricks that we should all be aware of? Are there better solutions emerging? Please send me your thoughts and/or suggestions via our "contact the author" form.