This week Jon Colombo, senior technical architect at Cap Gemini Ernst & Young, considers the damage to customer trust and loyalty caused by phishing attacks on organisations unprepared for such scams.
Phishing is a simple, effective internet con. It is hard to counter, but is growing fast. New twists and targets appear every week. On the bleakest interpretation it could threaten the very foundation of e-commerce itself: consumer trust.
Mechanically the con is straightforward. The con artist, or phisher, uses a mass-mailing tool to email a large audience, pretends to be from a bank or some other institution, and asks the recipient to click on a link to verify credential details.
Those recipients who have a relationship with the target institution may provide the phisher with personal details, such as banking information, which can then be used to defraud them.
The institution is also a victim - its customers learn not to trust communications from it and may start to question the whole e-commerce relationship.
Many organisations with an internet presence already have a sophisticated array of defences to stop intruders and block automated attempts to log on. The trouble is that these defences are generally designed to counter the wrong kind of threats.
Although phishing has some technical basis, it is basically a social engineering technique. Mechanisms designed to baffle automated attacks can be circumnavigated with the unwitting assistance of the customer.
There is really only one technology fix that can prevent phishing in the long term, and that is hardware-based two-factor authentication, i.e. tokens or some biometric implementations.
Unfortunately, these are expensive and usually call for a complete reworking of the business model, which may encounter customer resistance.
Strictly speaking, phishing is not the target institution's problem - it is customers who are the direct victims.
Businesses need to consider phishing on the same level as a supermarket would a product contamination: a criminal slipping dangerous materials into food is attacking public perception of the trustworthiness of that product.
In the same way, phishing has the potential to destroy trust in a brand.
There are a number of 'people' measures that should be considered to educate customers. After all, ignorance is the phisher's friend.
Circulars included in account statements, warning instructions on websites, and even carefully constructed emails can help. The message should be clear and consistent. For example: "The organisation will never send emails containing links - anything that does is a fake."
Consistency needs to be applied across the entire business, as it only takes one message to sow confusion in the customer's mind.
The first indications of a phishing trawl will be disparate and will probably be picked up by front-line staff, such as call centre operators or receptionists.
Phishers will try and slow down detection by operating at weekends or on holidays, so all staff need to be trained on how to respond and who to tell.
Well-designed, well-rehearsed, efficient and appropriate response procedures are essential. Simplicity and clarity of responsibility are the keys to success.
A response team should include a board-level representative, a response manager, an IT manager and representatives from the legal and PR functions.
The team will need plans to react to initial tip-offs; a triage stage to assess the damage and liaise with law enforcement; damage control plans that include technical and legal instruments for removing the threat promptly; communications processes to warn customers and considered contingency arrangements for victim support.
Technology can only play a minor role in an organisation's strategy for the prevention, detection and reaction to phishing. As a profession, we are asked to protect organisations, but we face a dilemma: there is no acceptable 'magic bullet' available.
Phishing may be seen as a technology issue but it is no more so than any other scam.
Preparedness starts at the top of the organisation. Management must think ahead and consider the following questions:
- How will a trawl in progress be detected?
- Who will be involved in responding to it?
- What is the organisation's attitude to publicising a trawl?
- What are the limitations to the support the organisation will offer law enforcement?
- How much support will be offered to victims?
- Has the organisation documented, rehearsed and refined the processes for responding to a trawl?
Without this level of prior thought the organisation may manage to muddle through a phishing trawl, but trust in its brand will have been damaged and an opportunity to build on that trust wasted.
Information professionals working in organisations with wide internet exposure who have not put thought into the questions above should be using the check list as a wake-up call for their management before it is too late.
Geoengineering on the sea floor near glaciers would form a new ice shelf to prevent melting
Alterations in capillary blood flow can be caused by body position change
Curiosity rover is in 'normal mode' but not transmitting scientific data back to base
NatWest outage comes a day after Barclays' IT systems shut out customers and staff