According to the recently released Anti-Phishing Working Group (APWG) Phishing Activity Trends Report for Q1, 2012, the number of brands hijacked by phishers reached an all-time high in February and March of this year. As if that wasn’t enough, the APWG also reported that the number of unique phishing sites detected in a month also set a new monthly record. Yikes! So, given the increase in all this phishing activity, what is a brand to do to better protect itself?
The APWG reported that in February and March of this year, 392 brands were targeted each month leading to an 8% increase over the previous high set last December. Prior to the December figure, the high-mark was set back in August of 2009. Moreover, the number of unique phishing sites detected in a month reached 56,859 in February, eclipsing the previous high of 56,362 also set back in August 2009. Just to put this all into perspective, these numbers indicate that in February of this year, 81 phishing sites were launched every hour of the month or just over one new phishing site every minute! Now that’s a lot of phish!
Factoring in the impact to a brand, according to a recent Cisco report the reputational cost to a brand (negative impact to the brand) as a result of an attack is approximately $1900 per infected user. Taking this figure, you can approximate that the reputational cost of an attack that compromises 500 accounts is almost $1 million. And, if you add in additional costs such as the direct financial loss to the cybercriminals along with any internal resource costs (help desk, forensic investigation, etc.), the cost of an attack goes up to about $1.4 million!
While major brands, particularly those within the financial and payment services sectors, are no-doubt aware of this trend and likely have brand protection strategies in place, there are many others who may acknowledge the problem but feel their brand is not big enough to be phished. To those in this camp; let’s just say that if the current phishing trend continues, I’m not sure anybody with an online customer base will be immune to any future attacks. This becomes particularly concerning for those brands whose only presence is online and relies heavily on email marketing to drive revenue and customer awareness.
But what can a brand do to better protect itself and its customers? Hoping and praying your brand will not be attacked may work for some, but for those who believe that hope is not a strategy, here are a few additional ideas:
- Create a Domain Inventory: This includes listing out all your registered domains (and sub-domains) and identifying what web and email traffic comes from which domain. Make sure you also include other departments and other 3rd parties who may send email on your behalf. You will also want to identify when these domains were registered and when they expire.
- “Defensively Register” Domains: This includes registering any domains that you believe phishers could use to spoof your brand. For example, if your brand is www.bigbank.com, you may want to defensively register www.b1gbank.com.
- Deploy Email Authentication: Deploy SPF and DKIM across all your outbound mail streams helping to validate the servers that you send mail from as well as the message header and content of all your email messages. Return Path has developed an Email Authentication Guide that can help you with this effort:
- Publish a DMARC Record: DMARC, developed in coordination with Microsoft, Google, Yahoo!, Return Path and others, tells ISPs to block spoofed emails that aren’t authenticating properly based on your SPF and/or DKIM records. Publishing a DMARC record is relatively easy and it doesn’t cost anything. Creating a DMARC record can also help with your domain inventory as it provides you with aggregate data on all mail streams that are coming from your domains. Prior to establishing a blocking policy with any ISPs, DMARC also provides a “monitor” mode allowing you to identify all mail steams that are not authenticating. Please check out the Return Path DMARC webpage for more information on the benefits of using DMARC.