April 11, 2005

www.truste.org

How Not to Look Like a Phish

Tips to Help Your Organization Minimize False Positives

Summary
Phishing is the criminal act of posing as a legitimate business via digital
communications to extract information such as social security numbers,
credit card numbers and banking account numbers. Businesses absorb
more than 90 percent of phishing attack costs as consumers lose faith in
Internet-based communication. TRUSTe, the leading online privacy non-
profit organization, and Ernst & Young, a global leader in professional
services, provide guidelines and examples to help businesses maintain
safer, reassuring digital communications with customers to minimize the
risks associated with phishing attacks. Businesses have a role to play in
rebuilding the public’s trust in online communication channels through
best practices including eliminating pop-ups, instant message and e-mail
as tools for collecting information and removing cross-site scripting
from a company’s Web site.

How Not to Look Like a Phish
Tips to Help Your Organization Minimize False Positives
THE PHISHING EPIDEMIC
IS WORSENING
Phishing is an online identity theft
technique used to lure consumers
into disclosing their personally identi-
fiable information including Social
Security numbers (SSN), account
names and passwords, and credit card
information. Oftentimes customers
are sent emails, pop-ups, and instant
messages that mimic legitimate cor-
porate communications. These com-
munications prompt the user to visit
fraudulent websites created to gather
their personal information. Financial
institutions, ISPs, and online retailers
are most susceptible to having their
brand spoofed in phishing attempts.
In fact, the most trusted brands are
often the most susceptible to being
hijacked. In the end, consumers are
lured in by these seemingly legitimate
communications into providing sensi-
tive information, often resulting in
credit card fraud, identify theft, and
even financial loss.
Consumers are not the only stake-
holders affected by phishing and
identity theft. While consumers bear
large emotional costs as victims of
identity theft, businesses bear signifi-
cant financial burdens. The FTC
reported in 2003, that identity theft
cost Americans approximately $53
billion dollars the year before. It was
estimated that consumers absorbed
$5 billion of the cost, whereas
Whitepaper – How Not to Look Like a Phish
businesses absorbed a whopping $48
billion of the cost. This number, while
significant, fails to account for the
impact that customer dissatisfaction,
a loss of brand equity, and wasted
resources have on organizations
which are most negatively affected
by phishing incidents.
The phishing epidemic is worsening.
Con artists and thieves are becoming
more cunning in the way they con-
struct emails and are discovering new
techniques to carry out their schemes.
Consumers are being fed information
from the government, industry work-
ing groups, individual organizations,
and the media about the dangers of
phishing attempts. As a result, online
consumers are growing more skeptical
about email and want to see action
taken to combat this problem.
CONSUMERS WANT ACTION
According to an online consumer
study conducted by TRUSTe and the
Ponemon Institute, 64% of respon-
dents believe it is unacceptable for
organizations to do nothing about
spoofing and phishing and 76% say
organizations should be required to
educate their customers. Industry
anti-phishing groups are surfacing
and legislation is being crafted to
combat online fraud. But how are
organizations preparing to protect
themselves and their resources?
Consumers are being armed with
www.truste.org
information to both avoid and report
phishing attempts, but what informa-
tion is available to organizations?
PROTECT YOUR BRAND AND
TAKE CONTROL
The threat of phishing and identity
theft is widespread and the grim
reality is that this problem affects all
organizations. Organizations may feel
helpless that their brands are being
hijacked and the problem is beyond
their control. However, there are certain
measures organizations can take to
control a potential phishing problem.
As organizations become more familiar
with the techniques of phishers, it is
important that they adopt new tech-
nologies and evaluate their current
technologies. It is equally important
that organizations effectively commu-
nicate the dangers of phishing with
staff, within the industry, and with
consumers.
TRUSTe and Ernst & Young have
created the following recommenda-
tions to help guide behavior in an
organization’s communications and
websites in order to minimize false
positives and build consumer confi-
dence. In the end, this guide will
help you avoid looking like a phish.
1

Technology
TIP
MESSAGE
Don’t get your customers in the habit
of responding to messages in ways that
they are receiving phishing messages.
Don’t request personal information
from customers directly from an email
hyperlink.
DELIVERY
Don’t use “click here” hyperlinks.
Do personalize email when possible.
Whitepaper – How Not to Look Like a Phish
www.truste.org
R AT I O N A L E : W H AT A P H I S H L O O K S L I K E
REASONING EXAMPLE
If customers are not used to responding You have sent a customer a package
to messages from your organization by and their shipping information is
email, pop up, or instant message, they incorrect. The information needs to
are more likely to be skeptical of be updated immediately so that the
spoofed communications. package is delivered on time and to
the correct location.
Instead of sending an email or instant
message requesting the user to reply
If customers are not used to providing
with his/her personal information, get
personal information via email, pop up,
customers in the habit of going directly
or instant message, they are less likely
to your website.
to provide personal information to
spoofed communications.
Never send emails asking customers to
supply, verify, or update personal or
account inform a t i o n . Especially stay away
from requests pertaining to passwords,
SSN’s, PIN’s, and account numbers.
REASONING EXAMPLE
Obscure “click here” hyperlinks are Direct customers to your website:
common in spoofed messages. No www.yourcompany.com
hyperlinks should be distributed to the
customer since the hyperlinked text versus
can appear different than the link the
Providing a link to click:
user is taken to after clicking the link.
click here
Get your customers in the habit of
clicking on the visible URL or going
to your website directly.
You know your customers’ names. Use Use:
them. Sending emails with personalized Dear James, or Dear James Smith
information helps users identify
versus
legitimate versus spoofed email.
Dear Sir or Madam, or Greetings
More personalized communications
will allow consumers to recognize you
as a legitimate sender.
2

Technology ‘cont
TIP
DELIVERY ‘CONT
Don’t link to third party sites from
your email messages.
Don’t redirect from the URL
provided to another domain.
Don’t use long URLs or
complex links.
WEBSITES
Do use clean and crisp domain naming
strategies.
Do get customers used to entering
your site through the home page on
your main domain before going to
special or uniquely-named domains.
Whitepaper – How Not to Look Like a Phish
R AT I O N A L E : W H AT A P H I S H L O O K S L I K E
REASONING
Don’t let your customers get in the
habit of clicking through to someone
else’s domain to do business with you.
Use your own domain whenever
possible. Pay special attention to the
URLs used by your email vendors on
your behalf.
Phishers use redirects to make it seem
that links click through to legitimate
websites. If you need to track the
performance of an email campaign, try
to use other techniques so consumers
see clear URLs.
Many spoofed emails use long,
complex links and URLs. Clean
links are ideal.
REASONING
Complex domain names and website
URLs only confuse. Use clear naming
for domains and websites.
Customers in the habit of going to
strangely named web sites are more
likely to fall for spoofed sites. Foster
safe habits with your use of domain
and site names.
www.truste.org
EXAMPLE
Instead of using third-party or proxy
links like:
http://www.deliveryspecialist.com?redi-
rect=www.yourdomain.com
Use links directly to your domain.
Avoid links like:
http://www.yourdomain.com?fr=453&s
pid=FD234&h=2
Keep links simple. Track reference
information using cookies, or with
simple reference codes:
http://www.yourdomain.com?ref=325281
EXAMPLE
Use:
www.yourcompany.com/freepromtion.com
versus
www.x3429yourcomany.com/1jdif/pro-
motion
You are offering a special promotion
with ABC company and want cus-
tomers to go to the ABC website.
www.abc.com
Instead of directing customers to ABC
company’s website, direct them to your
web site first. www.yourdomain.com
Add an ABC company link to your
website. www.yourdomain.com/abc
This gets customers in the habit of
going to your website.
3

Technology ‘cont
TIP
WEBSITES ‘CONT
Don’t direct customers to websites by
IP address.
Don’t open new browser windows
with limited functionality.
Don’t rely on pop-up windows for
data collection, especially those with
no address bar or navigational elements.
Don’t use instant messaging or chat
with your customers unless they
initiate the communication.
PROTECTION
Don’t let cyber-squatters stake a claim.
Whitepaper – How Not to Look Like a Phish
R AT I O N A L E : W H AT A P H I S H L O O K S L I K E
REASONING
Some phishing attacks try to get
around the domain naming challenge
by simply linking to a server by its IP
address. Always use fully-qualified
domains and site names.
Customers should be afforded the
confidence that new browser windows
are authentic too. When your site spawns
a new window, make sure that the
browser address bar and navigational
buttons are provided.
Some scams pop-up fraudulent windows
over legitimate websites to lend the
pop-ups credibility. Use windows with
address bars, clear URLs, and nav i g a-
tional elements like back buttons.
Give your customers every opportunity
to feel confident they are dealing with
an authentic operation.
REASONING
Pursue cyber-squatters, including those
who exploit loop-holes in the
International Domain Name support
features. Make sure that look-alike
domain names aren’t used for
fraudulent purposes.
www.truste.org
EXAMPLE
Always identify your webservers using
their domain names – not IP addresses.
Use:
http://www.yourdomain.com
Avoid:
http://66.55.44.21
Use pop up windows with address
bars, clear URLs, and navigational
elements like back bars.
Your sales team wants to upsell new
products to current customers. Do not
initiate instant message commu n i c a t i o n s
with customers, as this is a mode of
communication frequently used by
phishers. Only allow customers to initiate
the instant message communication.
EXAMPLE
Conduct periodic domain name searches
to assess whether the company’s brand
is being exploited. Also consider 3rd
party, internet brand protection services
or tools which can gather this informa-
tion for all relevant company-related
trademarked or copyrighted names or
slogans.
4
 Whitepaper – How Not to Look Like a Phish
www.truste.org

Technology ‘cont
TIP R AT I O N A L E : W H AT A P H I S H L O O K S L I K E

PROTE CTION ‘CONT REASONING EXAMPLE

Do protect your own web sites and
applications from security threats and
vulnerabilities, such as cross-site
scripting, that can allow a scammer
to hijack elements of your site.
Cross-site scripting has been a common Contact a network security consultant,
hacker attack method for years. It is a vulnerability scanning service, or
now being used by phishers to make purchase vulnerability scanning
your site become part of the attack. software.
Regularly assess your site security to
prevent such exploits from abetting
a scam.

Do authenticate yourself.
When possible, use digital certificates
to allow visitors to authenticate your
site. This is especially true when
asking for financial or personally
identifiable information.
Use secure links for all login and data
collection pages:
https://www.yourdomain.com/regis-
ter.html

Messaging
TIP R AT I O N A L E : W H AT A P H I S H L O O K S L I K E

MESSAGING REASONING EXAMPLE

Do proofread and spell-check all
communications.
Phishing scams are often riddled with Dear Sir:
misspellings and other grammatical
Pleese update your banc informasion.
errors. Most commercial grade com-
munications go through quality checks.
Customers are looking for spelling
Make sure yours do as well.
errors. Remember to proof and
spell-check all communications.

Do be explicit with “warning” and
“immediate action required”
communications.
Spoofers frequently send emails with
“Warning” or “Immediate Action
Required” messages and consumers are
wary of responding to these messages.
Be sensitive and specific in your com-
munications in your request and always
Never send an email with an urgent,
threatening, or time-sensitive tone
such as:
“Update your password immediately
or your account will be deleted.”

redirect the individual back to your

website.

Do use clear branding.
Although some phishers can copy Use consistent branding.
company branding perfectly, others
struggle with more pedestrian branding
such as purloined logos. Use your
branding consistently so customers know
what to look for when receiving com-
munication from your organization.

5
 Whitepaper – How Not to Look Like a Phish
www.truste.org

Outreach

TIP R AT I O N A L E : W H AT A P H I S H L O O K S L I K E

METHOD REASONING

Do educate your customers and
encourage users to submit suspicious
communications.
Since you have focused time and resources into fighting phishing, let your customers
know. Communicate your practices and provide information about identity theft
and spoofing. Tell them you will never ask for their personal information via email.
Provide links on your wesite for customers to access this type of information.
In addition, encourage customers to report suspicious emails to your organization.

Do have a communication plan in place Your communication plan should include an internal and external reporting
to combat phishing. process, employee education, and organizational awareness.

You should be in communication with the employees and customers. In addition,

contact the Federal Trade Commission at spam@uce.gov (when forwarding
spoofed messages, always include the entire original email with its original
header information intact), Internet Fraud Complaint Center of the FBI at
http://www.ifccfbi.gov, Anti-Phishing Working Group at
reportphishing@antiphishing.org, and Phish Report Network at
http://www.phishreport.net.

Do communicate across all divisions of Keep the line of communication open between all of your divisions and
your organization. business units.

Do communicate across the industry. You are not alone in your struggles. Reach out to others in the industry to help
combat this problem. Contact the Anti-Phishing Working Group to find other
industry experts working to fight phishing and identity theft.

6
 Whitepaper – How Not to Look Like a Phish
www.truste.org

About TRUSTe
TRUSTe, the online privacy leader, is an independent, nonprofit organization dedicated to
enabling individuals and organizations to establish trusting relationships based on respect for
personal identity and information in the evolving networked world. TRUSTe operates the
world’s largest Web site privacy seal program providing standards and dispute resolution for
more than 1,300 Web sites.

Since 1997, TRUSTe has conducted more than 7,000 Web site privacy policy certifications.
Informed by extensive consumer attitude research, TRUSTe provides industry with pragmatic
and respectful policy guidance for Web site practices, wireless privacy, email privacy and data
security. For more information, visit www.truste.org.

About Ernst & Young

Ernst & Young, a global leader in professional services, is committed to restoring the public’s
trust in professional services firms and in the quality of financial reporting. Its 100,000
people in 140 countries around the globe pursue the highest levels of integrity, quality, and
professionalism to provide clients with solutions based on financial, transactional, compliance,
and risk-management knowledge in Ernst & Young’s core services of Audit, Tax, and
Transaction Advisory Services. Ernst & Young practices provides privacy and security services
to clients globally. More information about these services can be found at
www.ey.com/privacy and www.ey.com/security.

Ernst & Young refers to all the members of the global Ernst & Young organization.

Ernst & Young TRUSTe

Technology & Security Risk Services 685 Market Street, Suite 560
8484 Westpark Drive San Francisco, CA 94105
McLean,VA 22102 USA www.truste.org

www.truste.org
© 2005 TRUSTe. All Rights Reserved.