SMBs: The Other Victims Of Phishing

The number of phishing attacks grew 44 percent between the first half and second half of 2005, according to Symantec, in Cupertino, California. Some of that increase can be attributable to the holiday season, which typically promulgates a higher number of incidents, but the increase is still very significant, according to Dave Cole, director of Symantec security response. The number of incidents for the first half of this year is expected to far surpass the one billion incidents in the first half of 2005.

But although the scams are certainly damaging to any consumers duped by them, they can also have a devastating effect on the small business whose brand is stolen in order to perpetrate the scheme. Though of course the phishers are the criminals, any targeted firm can suffer from the negative customer reaction--and reputation--that ensues.

Though there is no silver bullet for how to deal with these incidents, here are some ways for small businesses to battle brand theft.

Report the incident immediately.Notify the Anti-Phishing Work Group, as well as local, federal, and state law authorities immediately. Quick notification can help shut down the source of the phisher’s attacks and limit the damage. Additionally, reporting the incident to major search engines enables them to attempt to locate the offending servers and add them to their toolbars that are designed to block phishing attacks.

Immediately help affected customers.If you hear from customers who have been directly affected by a phishing scam, provide them with information on what they need to do to ward off serious financial damage to themselves. For example, provide them with detailed instructions on how to contact the major credit bureaus, Cole recommends. Some businesses even take the extra step of providing credit reports free of charge to customers for a specified period of time.Additionally, via e-mail, print letters, and on your Web site, tell other customers how to proceed if they believe they have been a target of a phishing scam, recommends Salim Lakhani, managing director of Initsoft Web Solutions LLC, in Cupertino, California. “Also let them know about tools they can use [i.e., phishing filters] to protect themselves against future phishing attacks,” says Lakhani.

Proactively communicate with all customers.Of course, prevention is the best method to handle phishing attacks (see below). But if a phisher has already hijacked the brand of your small business, communicating immediately and effectively with current customers is the most critical aspect of recovering from the crime, security experts agree.

The communication should take several forms. “The first thing I would do is to send your customers e-mails showing what types of messages they should expect from you,” Cole says. “Tell customers that you will never ask them for personal information [i.e., credit card numbers or passwords] inside an e-mail.”

Such communiqu?s should also describe phishing attacks for those customers unfamiliar with the term. And if in fact your business has indeed requested sensitive information via email in the past, this is a practice you should end quickly.

Beyond sending e-mails to customers, Cole recommends that companies post a notification on the front page of its Web site that it has been the target of a phishing scam.Ask for customer assistance to combat the crime.Request that customers who believe they’ve been phished to send copies of the fraudulent e-mails to you. This will help you and the appropriate authorities apply forensic techniques in attempts to stop the attacks and apprehend the perpetrators, says Ken Beer, director of product management for Tumbleweed Communications, in Redwood City, California. Make sure that there's a prominent "contact us" button on your Web site to enable customers to do this quickly and easily.

Watch out for unusual orders.If an individual is ordering an unusual amount of items (i.e., 10 plasma televisions) or placing an otherwise atypical order, there are technologies that will automatically place the order “on hold” until further confirmation is possible. "If they can’t get direct access to cash [i.e., from a bank account], phishers will settle for items that can be easily sold, Cole says.

Prevention is the best medicine

Beyond taking the above steps to soothe the nerves of customers, small businesses should also take several steps to help prevent similar events from happening again, security experts agree.

Be proactive.“The vast majority of all attacks are opportunistic,” Cole says. Even if a company hasn’t been the target of an attack, proactively e-mail customers and include information on your Web site about phishing, what customers can do to protect themselves, and what types of e-mails they should expect from the company.Educate employees.It does little good to notify customers that the company won’t ask for certain information, then have someone in sales (or in another department) actually ask for that data in an e-mail. So the company needs to bring all employees and executives up to speed on phishing along with customers.

Use a different e-mail system for customer communications.This is something that eBay, one of the major targets of phishers, is doing. Beyond simple marketing messages (i.e., “see today’s specials”), the company exchanges e-mails with customers only when they are on the company’s site, Cole says. However, adding such an internal system can be beyond the financial means of some small businesses. "This is a very aggressive step,” Cole says.