Just as successful phishers have turned to a distributed, multi-tiered system of attacks, so must institutions and consumers rely on a distributed, multi-tiered and layered defense in order to protect themselves. There is no silver bullet solution to defeat phishing; instead, a variety of technical and social techniques must be employed.
User Education
One key element of the war on phishing, and of information security in general, is consumer education. After all, if potential victims could be convinced to inspect email headers, to verify URLS, and not to reveal their personal and financial information to phishers, then the problem would just go away. However, education is not a sufficient answer in itself; con men have been running the same scams via Internet, telephone, and postal mail for ages. Yet many consumers are eager to learn how to protect themselves from online fraud. Savvy ones will learn if they are taught how to protect themselves. User education can be an inexpensive yet high-profile way to decrease fraud while convincing customers that their trust is important to a business.
Email Authentication
An important technical countermeasure to phishing is for businesses to implement an email authentication technology like SenderID or Domain Keys Identified Mail (DKIM) on their email systems. Since no authentication is supported by Simple Mail Transfer Protocol (SMTP), the dominant standard for email transmission, it is very easy for attackers to send spoofed email messages that appear to have originated from a legitimate domain. Designed to combat this, DKIM is an email authentication system that can verify the domain of an email sender and the message integrity. SenderID is an extension to SMTP that allows email servers to identify and reject forged addresses based on entries in DNS records. In essence, using DKIM and SenderID discourages phishing because they make it difficult for a spammer’s email server to masquerade as a legitimate email server, such as that of a bank or other financial institution. Since DKIM and SenderID are complementary technologies, it is ideal for businesses to implement both if possible.
Consumer Reporting
Phishing threatens every company and consumer who uses the Internet, and because of this, many users are eager to help by reporting suspected hoaxes. This is often the most successful method of identifying phishing sites. Potentially targeted companies should make it easy for consumers to report phishing and other methods of Internet scams: every company should have a link on its home page to a web form where anyone can easily report suspected fraud. In addition, every company should have a publicized email account that allows users to easily forward possible phish emails.
Anti-phishing Solution Deployment
Institutions must be proactive in order to defend their brand, reputation and customers from the threat of phishing. There are many components to an anti-phishing solution, including preventing the establishment of cousin or mock domains, detection and analysis of attacks, and technical and physical shutdown of phishing sites. Some solutions try to prevent phishing from occurring by authenticating and filtering email. Others filter web content through consumer products such as browser toolbars. Most anti-phishing solutions rely on an Internet data center that collects, analyzes, and responds to threats. Many rely on consumers to report phishing email and phishing web sites, and then target those email and web servers for shutdown. Anti-phishing solutions must offer this full range of services in order to defeat a phishing attack in a timely manner.