Tuesday, October 7, 2008

Educate Your Users About Phishing

Phishing methods are becoming more and more sophisticated. The only thing a scammer needs to start a phishing campaign is an email address of your user community, and those aren’t very hard to guess. Most companies use a standard naming convention for their email addresses: name@company.com. Once a scammer figures out what syntax you’re using for the name field (jseabury@company.com, jp.seabury@company.com, jp_seabury@company.com, etc), they can get employee name information, and start phishing your employees directly.

Bah … how are they going to get the names of my employees? Social networking sites make it easy. A scammer can create a bogus LinkedIn profile, and indicate that they worked at a particular company. They can immediately get a list of all the other employees of that company, including their first name and last name. Wham – now they’ve got a phishing list.

As a System Administrator, your best defense against phishing attacks starts with education. If you don’t have a periodic newsletter, company blog, or Security Awareness training program, start one. Get in front of your users and educate them about phishing. Show samples of fraudulent email and phishing attempts. Demonstrate how easy it is to be lured to a false website. Instruct them to verify the browser address of the site they are logging into: https://www.salesforce.com/login.jsp or https://login.salesforce.com. Show samples of bad URL addresses, like http://salsforce.com and http://go-salesforce.com. The differences can be very subtle, and it’s easy to be fooled by them.

Caution your team to never fill out personal information in an embedded HTML form of an email. Train users to hover their mouse over links in an HTML email, and read the URL address embedded beneath the link before clicking on it. The link can look perfectly legitimate, but the embedded URL might navigate to a non-Salesforce.com website:



Instruct your team about malicious attachments, like key loggers, viruses and other malware. Keep your anti-virus signatures up to date, but don’t trust them to be your only defense.

Renew these training programs every couple of months, and include samples of phishing attacks that have been seen at your company.

Finally, if users think they have been targeted by a phishing attempt, train them to log out of their computer, power it completely off, and contact their System Administrator immediately. Compromised computers should be turned over to IT, so they can be checked and cleared of malware. System Administrators should immediately reset the password of the affected user, to prevent unauthorized access.

After educating your users about phishing and malware, your next defense is setting up tighter security within Salesforce.com – and that’s a topic for tomorrow.

No comments:

Post a Comment