The latest news about "phishing" is not good for small and mid-size businesses. Phishers – people who send fraudulent emails and try to lure unsuspecting recipients into revealing confidential information on a phony website -- are no longer impersonating only big commercial banks. They've started using the names of smaller companies, too.
Phishing is a nightmare not just for the consumer recipients -- who have doubled in number since 2004, according to a recent Gartner Inc. report -- but also for the businesses whose brand names are being misused. When customers receive a phishing email that purports to be from your company, the company’s good name gets tarnished. That's not exactly a good way to brand a growing business. And there is always the risk that your company could be sued.
Phishing, unfortunately, isn’t going away anytime soon although it is changing in nature. Gartner found that phishing emails are impersonating banks less often and other types of companies more often. Many of those other brands are also big companies like eBay and PayPal, or financial firms, such as mid-size banks, but the threat to more types of businesses is growing. The good news, according to Gartner analyst Avivah Litan, is typically “really small businesses aren’t attacked because criminals don’t know about them.” However, any brand can be at risk. Here’s what you should know to protect your small business:
Be the master of your domain
Know the domain names that your company has registered and proactively register variations of those names. This way, if phishers try to set up a website imitating your business, the obvious variations on that name are already spoken for and hopefully customers are less likely to be fooled. The best defense, the cliché goes, is a good offense.
Eyes wide open
Continuously monitor the Internet for suspicious new domain registrations and changes to existing domain registrations, says Todd Bransford, vice president of marketing at online monitoring company Cyveillance, of Arlington, Va. “Early detection of a registration of a domain that’s similar to your organization's domain could allow you to minimize or even prevent a phishing attack.”
If you would rather farm out the monitoring of domain registrations, there are online fraud prevention companies, like Cyveillance and other one called MarkMonitor, that can do this for you. The rates for monitoring companies are typically run upwards of thousands of dollars per month.
Teach your clients
Educate your customers, suggests Bransford. That means let your customers know how you plan to contact them – via mail, telephone, or email. “Post a clear policy on your site, in plain English describing how you will contact them," says Frederick Felman, chief marketing officer of MarkMonitor, a San Francisco firm. Felman says also specify "what type of info you will ask for.... and what you will NEVER ask for," such as passwords. Remind your customers to use the anti-phishing features in some Web browsers, as well.
Alert browser companies and email providers about those fraudulent URLs used by phishers so that each URL you identify is blocked at the browser or when the email is sent, advises Felman. Internet Explporer 7.0 and Firefox 2 do a great job of blocking phishing sites. Litan cautions, however, that this solution is not a cure all.
Have a strong authentication, anti-phishing message prominently displayed on your website, Bransford says. This should include a mechanism for reporting suspicious emails or suspected phishing attacks such as a special inbox (firstname.lastname@example.org ). Customers are on the front line of these attacks and can be the first to alert you that your business has been targeted.
Take that extra step
Felman suggests including electronic signatures with your emails so that email providers know when an email sent by your company is really sent from you.
Have a plan in place in the event your company becomes a victim of phishers. Remember to take care of your customers. Provide those who believe they have become victim information on what to do, such as contacting the major credit bureaus. You might also want to provide them with free credit reports for a certain time period, as a gesture of good will. Remember to alert other customers -- put a notice on your website at a minimum and perhaps also contact them by mail – to alert them about the potential fraud.
Contact authorities and report the crime immediately. Also contact the Anti-Phishing Work Group. Have a plan in place to notify website owners and Internet Service Providers to get phishing sites taken down, says Felman. Gather the numbers in advance. Just like with stolen credit cards, it can be a real hassle to deal with looking for numbers in the middle of a crisis. If that doesn’t work, monitoring companies can take care of all of this quickly for you, if you hire them after an attack. Cyveillance’s Bransford also suggests having a public relations strategy ready, too, to minimize the damage.
The bad news is that there’s nothing a small business can do to provide 100 percent protection from getting hit. If even big companies like PayPal aren’t able to stop it, cautions Gartner’s Litan, that doesn’t bode well for smaller businesses.