By Andy Klein, Senior Product Marketing Manager, SonicWALL

It is widely understood that a virus attack can cause serious damage. As a result, anti-virus software has become virtually standard in businesses of all sizes today. Unfortunately, phishing is not nearly as well understood, and far fewer small businesses are prepared to deal with phishing attacks.

Like viruses, phishing emails can cause serious harm to a small- to medium-sized business (SMB). But there are ways to protect yourself from these effects. Most importantly, an SMB owner must realize that phishing attacks are not virus attacks. Because there is no malicious software involved, anti-virus software is not going to protect your company against them. Similarly, anti-spam filters form only one small element of your anti-phishing defense. Spam is merely an attempt to cast a wide net to try to sell something. A phish attack is an attempt to trick you into divulging account, financial, and identity information. Phishing attacks can be highly targeted and they are designed to appear legitimate, and as such, frequently will not be detected as spam. The fact is, there is no "silver bullet" for phishing attacks, and protecting yourself against it requires a defense on multiple fronts. After acknowledging the problem, and realizing the extent and nature of it, anti-phishing protection takes three forms: education, policies, and technology.

Education

While people are getting better at spotting a phishing email, there is still a one in ten chance that someone will consider a phishing email legitimate and put your network, themselves, and your company in danger. Understanding the nature of phishing won't prevent them from coming into your email in-box, but it can prevent damage and theft from occurring. Educating your staff about how to recognize a phish is the first step.

In addition to learning how to recognize a phish email, encourage your users to keep track of what to expect. When an email comes in asking for information, the first thing to ask is, "did I expect this email?" If it comes unexpectedly, question its source, no matter how legitimate it looks or how urgent the message may be.

A phishing email will often use URL exploits and this can be an easy way to recognize one. A link can be easily spoofed to look on the level, but (depending on your email client) if you simply pass your cursor over the link you can reveal the true URL. If a link appears to be from a legitimate source in the text, but the actual link is something different, this is probably a phish. Phishers will often use techniques such as URL redirection, long and complex URLs, and raw IP addresses. But although this may give one reason to question an email, it still does not provide proof that it is a phish. Legitimate companies sometimes use these techniques as well. 

An email asking for financial information, but not addressed to the recipient by name, is also an excellent indicator of fraud. But even an email that addresses you by name is no longer safe from being suspect. Phishers are shifting their focus away from large scale email campaigns, to more targeted attempts. Spear phishing for example, targets a group of people within a specific company, making it appear to be sent from an internal department.

Policies and Processes

Creating and enforcing a set of policies can go a long way towards eliminating the risks of phishing. Even before deploying any technological solutions, adhering to a policy and set procedures will render the majority of phishing attacks harmless. Here are a few simple policies that will keep you from getting caught up in the phisher's net.

• Don't use the same password for multiple systems, and don't use the same password for both home and work.
• Don't click on links within the body of an email. If you think an email may require a legitimate response on your part, enter the URL of the recipient directly into your browser.
• Verify. If there is any question as to an email's legitimacy, contact the individual or company who appears to be the sender over the phone or by an email address you know to be legitimate, before providing any information.
• Protect email addresses. Many companies use a standard format for email addresses, making it easy for phishers to derive addresses for specific individuals. Avoid these standard formats.
• Institute a policy on company emails that request information. If employees understand that a company will never send an internal email requesting password or account information, then they will know immediately that an email that appears to come from the accounting department wanting an employee to verify a corporate credit card number is a phish.
• Have policies for billing and routing. Once a phisher derives the individual email addresses of employees responsible for billing, they can easily craft emails that appear to be from vendors in an attempt to trick the employee into sending a payment to an illegitimate address.

Technology

Education, policies and procedures form an excellent framework for your anti-phishing initiative, but procedures will inevitably be overlooked from time to time. Also, keep in mind that phishers are tricksters, and they are sometimes very good at what they do. No matter how well you educate your staff, the phishers are still likely to get a few emails through to unsuspecting staff.

Anti-virus technology, firewalls, and intrusion prevention/detection does not apply. While these elements are essential components of your overall security, they will do very little to prevent phishing attacks. Because the content of phishing emails, and the phishers themselves, are constantly changing, no single defense will be adequate. A security program that has been specially designed to catch phishing attacks will use three separate technologies for detection. First, the software will conduct a header analysis to evaluate the sender ID, and compare it against a known database of phishers. Second, the anti-phishing software will analyze the content of emails against a database of known samples of phishing and fraud emails, using content analysis to isolate potential fraud during the filtering process. Lastly, contact point analysis checks for common tricks like obfuscated URLs, port number inconsistencies, redirections, and encoding used to exploit vulnerabilities in browsers and operating systems. The system can also flag common social engineering tricks, by spotting variations between the appearance of a link and the actual result of acting on that link.

Everybody has a role

Keeping your business safe from phishing attacks requires constant vigilance, education, a good set of procedures and excellent technology. But most importantly, it means taking an active role, regardless of your position. On the individual level, each person must stay educated about phishing techniques, stay vigilant, and keep software up to date. Second, avoid being an unsuspecting host for phishers by maintaining tight security and intrusion prevention/detection. Make sure your customers understand how and when you will communicate with them via email, to minimize the chance of your own site being spoofed and used as a phishing platform

There is no one solution to phishing. The best defense consists of policies and education, along with an integrated and comprehensive security suite brings together all elements of phishing protection.

Andy Klein is the senior product marketing manager at SonicWALL.