Phishing Prevention Guide

A phishing scam typically involves an impostor who pretends to be a legitimate entity and tries to coax customers of that entity into divulging their private financial information. The victims are both the legitimate entity, which might suffer a tarnished image as a result, and its duped customers, who might suffer significant financial loss or other problems related to identity theft.

I've written about phishing in the past and have mentioned the Anti-Phishing Working Group, which hosts a Web site ( http://www.antiphishing.org ) that contains various information related to phishing. At the site, you can find an archive that includes many, but probably not all, of the more prevalent phishing attacks--some of which are still underway.

The group also provides a couple of useful references that describe how to avoid phishing and what to do if you've been fooled into giving out your personal financial information. If you're interested in how the term "phishing" came to be used, you can read an interesting historical reference about that at http://www.antiphishing.org/word_phish.html .

Although the group's Web site is a good resource, one thing that it doesn't include is a detailed analysis of how phishing attacks are perpetrated. Some of the intricacies involved are readily apparent or can be surmised, but other tactics might not be so obvious. It's sometimes difficult to determine what lengths a given scammer might go to.

If you want a detailed examination of phishing, a new resource might help you. Next Generation Security (NGS) Software (a security software, consulting, and researching firm) recently released an extensive, 42-page white paper. "The Phishing Guide--Understanding and Preventing Phishing Attacks" includes information about how such scams are delivered to potential victims, what the attack vectors are, and how they work. The guide also includes details about how to counter such threats at the client, server, and enterprise levels. The guide looks at phishing from the perpetrator's perspective and the legitimate enterprise's perspective and includes advice for entities that want to defend themselves against becoming victims of such attacks. The guide is available in PDF format at http://www.ngssoftware.com/papers/NISR-WP-Phishing.pdf .