By Karen J. Bannan
During 2004, managed e-mail security provider MessageLabs intercepted more than 18 million phishing e-mails, or e-mails that direct readers to a fraudulent Web site. While the majority were b-to-c in nature, b-to-b phishing attacks aren’t unheard of and can be even more costly when they occur, said Dmitri Alperovitch, research engineer with CipherTrust Inc., an e-mail security provider.
"If [phishers] are contacting you at your job as a representative of a company you work with and you think it’s a legitimate business transaction, you can very easily get taken," Alperovitch said. "How many times do you get an e-mail from someone about a project you know about but aren’t directly working on? You know someone else is, so you just go with whatever they ask. With b-to-b, phishing will almost always be more targeted and the attackers are much more sophisticated."
Alperovitch and Bill McInnis, director of sales for Message Level, an authentication provider, provided these suggestions to help safeguard your customers and prospects from getting phished in your name.
- Educate your users. Tell newsletter subscribers and customers exactly what they should expect from you. This may mean you have to send out a sample message when they first sign up, Alperovitch said. Then let them know what a phishing attack might look like. "Tell them that if a URL you send out is long or contains misspellings or if a message uses non-standard logos, it’s probably a fake," he said. "You basically have to show them what to look out for ahead of time."
- Keep your e-mail identity consistent. "Keep the ‘From’ address that the customer would see consistent for each brand, and make sure the embedded URLs are consistent with the brand being advertised," McInnis said. And stick to a schedule. If your customer expects your messages every other Friday but gets something from you on an off Tuesday, it should raise a flag.
- Use personalization as security. Alperovitch said you should get into the habit of using your customer’s name and possibly part of their physical address in your messages. Even better, consider a graphical token. "You can let users pick a graphical unique token that represents them. It’s no harder than customizing text," Alperovitch said. "Use that token every time you send out a message to identify your e-mails as being valid. Tokens are very, very hard to spoof."
- Consider using e-mail authentication services. "These technologies can help e-marketers control their e-mail by providing them with the ability to affirm or deny a message claiming their brand in real time prior to delivery," McInnis said.
Call in reinforcements. If your customer has been phished, call law enforcement agencies immediately. "Federal authorities are very proactive in this area," Alperovitch said. Even more important, assist your customers as much as possible so they feel that you’re behind them no matter what. "When you help a customer out of a tough jam, you’re creating a win out of a terrible situation," he said.