The ISF report provides a detailed five-point strategy to tackle the threat of phishing attacks. But while two-factor or even three-factor authentication is seen as a strong preventative measure, the report suggests that savings from direct fraud alone do not currently justify the expenditure. Organisations should consider other factors such as reputational damage, regulatory intervention or loss of competitive advantage.
Significantly, the report points to better education of customers about phishing and identity theft as being a more immediate requirement. This should be supported by a strong anti-phishing policy, continuous Internet monitoring to identify phishing activity and brand misuse, and better internal protection. In particular, with criminal gangs planting and grooming company ‘moles’, the need to secure customer databases from internal attack is becoming increasingly important.
“We believe that email phishing will move away from English speaking regions to Asia, China and the Middle East, to be replaced by a surge in sophisticated and well-organised Trojan attacks,” said Andrew Wilson of the Information Security Forum. “Often, the first time an organisation knows that it is under attack is when customers notice money missing from their accounts, so it will become vital to put early warning mechanisms in place. These can include closely monitoring customer complaints and feedback for signs of attack, regular checking of web sites for the unauthorised use of logos and brand names and open-source intelligence gathering for indications of planned attacks.”
“Improving user awareness of Internet risks is key to fighting online fraud, but in a manner that does not risk losing customer-confidence in ecommerce and online banking,” adds Andrew Wilson.
The ISF report along with over 150 authoritative reports on information security issues is available to ISF members.
About the ISF
The Information Security Forum was founded in 1989 and is a not-for-profit international association of over 260 leading organisations which fund and co-operate in the development of practical, business driven solutions to information security and risk management problems. The ISF undertakes a leading-edge research programme and has invested more than US$75 million to create a library of over 150 authoritative reports that are available free of charge to ISF Members.