In the Battle Against Phishing, the Real Enemy is Curiosity, Greed, Misplaced Trust, and Boredom

If you are have been using the Internet for a while, you will remember the Anna Kournikova virus that tempted users with a message “to see hot pics of Anna Kournikova, click here.”
 
You also probably remember the Nigerian money scam where email recipients were offered to receive millions of dollars for providing a bank account into which funds could be deposited to save someone’s inheritance.
 
We laugh now at how incredibly obvious these scams seem, but at that younger stage in Internet history, most of us were more naive and trusting than we are now.
 
By 2003, the term “phishing” was widely accepted and used by most technologists to define the method of extracting personal or confidential data from unsuspecting users.
 
Fast forward to today. Users have become wiser, more pessimistic, and less prone to take the bait of a phishing scam, but scams have evolved to become much more elaborate, deceitful, and dangerous.
 
Today, phishing scams range from fake websites that appear to look like American Express or Visa to direct phone calls from your bank to verify account information. The data that these scams are phishing for has also evolved.
 
Modern phishing scams look for spreadsheets and documents on infected computers, or scan contacts and emails for personal identity data and credit card information. Phishing scams are also known to target corporate financials, source code, and even intellectual property (see http://blogs.wsj.com/cio/2013/02/22/why-engineers-fall-for-phishing-attacks).
 
Some technologies have been developed to help safeguard against phishing techniques such as site reputation services, identity monitoring and data loss prevention software. But the truth is, phishing is not really a technology issue but rather a “people" issue.
 
Legions of IT professionals and millions of dollars spent on high tech solutions will not stop users from providing personal data, installing apps, or clicking on a tempting link in hopes of obtaining riches and being entertained.
 
The best protection from phishing exploits is largely done by training and constantly enforcing a culture of common sense and caution.  
 
None of the following statements and suggestions are new or groundbreaking.  I suggest these concepts be included in personnel training, frequently reviewing them with and including them as part of a corporate Internet usage policy might help breed a culture of common sense and caution.
 
Don’t believe everything you read, hear, or see online. Actually, be slow to believe.
 

• Just because you received an email or an email seems to point to a reliable website, it is not necessarily true. You are never obligated to open an email or follow a link because it appears in your IN box and, more importantly, you should never do so just out of curiosity.  When information works to strongly pique interest, beware.
• Anyone with Photoshop skills can author an email or create a website that appears to come from a legitimate or reputable source. Be skeptical.
• If someone claims to represent a company via email, phone, or on a website, you do not need to take their word at face value. Follow up, ask questions. If in doubt, check with your IT department. Ask yourself “who wants to know this information and why do they need it?” Offer to call back at the company’s direct phone number.
• Do not give out data to anyone or to a website unless you are 100% certain of the source and why the information is legitimately needed. Legitimate companies do not ask customers to email credit card info, social security numbers, or account login credentials.
• Never install any software unless you are certain what it does. Free apps that offer access to new search bars, coupons, emoticons, weather updates, downloads, etc. should be treated with suspicion. Ask yourself if your IT department would approve of the app being used at work.
• If an offer seems too good to be true, it is.  Online offers for “free money” or “free iPads” are simply not credible in most circumstances.

 
With more than twenty years experience working with technology, I have never heard an IT professional say, “I wish that our users were less cautious with their data and less concerned about the information they give out.”  
 
In the battle against phishing, the real enemy is curiosity, greed, misplaced trust, and boredom.  In other words, the problem is human nature. The cure is education and awareness.