Phishing as a security risk has come a long way since its infancy and while phishing has changed its style; one thing that hasn’t change is its effectiveness in attracting victims. By combining modern technology and social engineering to gain access to information such as credit card numbers or passwords, criminal activity is flourishing across the Internet. In the May 29th, 2008, Quarterly Trends and Analysis Report by US-CERT (United States Computer Emergency Readiness Team), the top reported security incident was phishing. The documented risk noted by US-CERT bears itself out in statistical evidence tracked by organizations such as the Anti-Phishing Working Group (APWG) which showed the number of unique phishing sites reported between January and March of 2008 was a combined 81,215. These staggering numbers highlight the reasoning behind the FTC Red Flag Rules.
Armed with this type of information it seems reasonable the FTC would take the steps necessary to control the subsequent identity theft stemming from this type of security risk. Thus phishing prevention is a part of the FTC’s Red Flag Rules and detecting phishing attacks is critical to preventing personally identifiable information from being released. There are several tell tale signs of phishing e-mails such as:
- Unsolicited requests for personal information. Legitimate companies understand today’s security environment and will not ask for personal information from out of the blue.
- E-mails addressed to “Customer”. If you are a customer of the organization sending the e-mail, chances are high that they will address you by name and spell it correctly.
- E-mails have you click on links to access your account. If an HTML formatted e-mail is received, then the e-mail can act like a web page with links and forms associated with them, but chances are high the link will take you to a phony web site.
- IP Velocity. If you receive a numerous e-mails in rapid succession from the same IP address, then chances are the e-mail is not legitimate. This type of activity is a big red flag (pardon the pun) that a targeted phishing attack might be in progress.
Compliance with the Red Flag Rules mandates covered entities counteract phishing, along with an implementation program that detects, prevents, and mitigates risks that are prevalent in identity theft. When implementing your identity protection plan, products such as Estorian‘s LookingGlass provide the ability to take control over this activity through features that allow:
- Validation of e-mail. Looking Glass looks at each individual email header and metadata and indexes the email so it can be easily retrieved. Using this email metadata provides a detailed look at to whether or not the emails are valid as well as an easy way to search for those emails to determine if phishing attempts have been sent to multiple users.
- High Risk Reporting Requirements. Using Estorian’s powerful reporting capabilities, companies can set thresholds that take advantage of LookingGlass’s granular view into incoming emails and does real-time reporting against these thresholds. Using these features, you can set thresholds against high risk signs of phishing such as IP velocity and receive real-time notifications that a possible phishing attack is being launched against your organization. You can then report against those thresholds and take the internal steps necessary to mitigate this risk.
If you act as a creditor in any way, you are subject to the FTC Red Flag Rules and need to give serious attention to phishing in your risk assessment process. Continued success of these attacks has shown this is a tremendously popular and effective way to gain personally identifiable information on your customers and their accounts. Only by being proactive and implementing software such as Estorian LookingGlas can you mitigate these high risks while building an identity theft protection program that complies with the new FTC Red Flag Rules. Failure to do so and odds are that your company will become one of the statistics while unnecessarily exposing itself to new financial penalties that these Rules introduce.