April 12, 2005 - (HOSTSEARCH.COM) - Web hosting providers and web masters may want to take note of TRUSTe, an online privacy non-profit organization, and professional services firm Ernst & Young’s new guide titled, "How Not To Look Like a Phish". The guide is designed to help businesses communicate with their customers in ways that can help minimize the risks associated with phishing attacks. Phishing is the criminal act of posing as a legitimate business via digital communications to extract information such as social security numbers, credit card numbers and banking account numbers.
In a recent TRUSTe/Ponemon Institute study, 76 percent of respondents said they believe businesses bear the burden of educating the public on phishing protection. Sixty-four percent added that it is unacceptable for organizations to remain silent on the issue. To ease this burden and help businesses rebuild the public's trust in online communication channels, TRUSTe and Ernst & Young recommend best practices, including eliminating pop-ups, instant message and e-mail as tools for collecting information and removing cross-site scripting from a company's Web site.
"This burgeoning threat is not only putting the finances of individuals and businesses at risk, but also undermining the basic trust that makes e- commerce and digital communication possible," said Fran Maier, executive director of TRUSTe. "Most anti-phishing advice emphasizes the ways individuals can identify and avoid fraud, but businesses also must make it easier for their customers to distinguish legitimate from fraudulent online communications. This threat must be addressed as soon as possible by every company using online customer service."
"Companies need to avoid communicating with customers in ways that can be easily replicated by phishers," said Brian Tretick, a Principal with the
Technology Solutions and Risk Services group of Ernst & Young LLP. "In addition, companies must have a clear domain name strategy that makes it difficult for copycat Web sites to exist, and steps need to be taken to eliminate any application security flaws that may allow malicious hackers to hijack your own Web site addresses."
The top recommendations from the guide include the following practices:
1) Eliminate using instant message and e-mail to collect information, unless the contact is initiated by the customer.
2) Never use an urgent, threatening, or time-sensitive tone.
3) Explicitly spell out Web site links and keep the links as straightforward and descriptive as possible. Don't hypertext words like "click here" that are commonly used to mask false Web site addresses.
4) Personalize customer e-mail with non-threatening personal data like a first name so recipients know that the e-mail is coming from a company that knows them.
5) Direct customers to respond via your main home page as much as possible.
6) Protect your name by checking for unauthorized Web sites that use variations of your company name.
7) Authenticate your Web sites using digital certificates.
8) Be clear in communicating your anti-phishing strategy to customers.
A copy of the full guidelines, including illustrative do's and dont's, is available upon request.
