Midsize Insider

Midsize Insider is a valuable repository of expert content tailored for small-to-midsized business owners and IT decision makers. Expert insights and perspectives in the Midsize Insider are gleaned from actionable business experiences and will assist readers in creating efficiencies, cutting costs and delivering results.

No Phishing Here: Firms Developing New Antiphishing Standard

Added by on Jan 30, 2012

Google, Facebook, Microsoft, and 12 other major firms are developing an antiphishing standard. The new standard is designed to protect both firms and consumers against "phishing." This widespead cyber-crime tactic exploits trusted company names and logos to trick consumers into providing the phisher with information, such as account numbers.

No phishing!A protective antiphishing standard will be a boon for small and midsize businesses (SMBs), whose customers are also at risk from this exploit. The task for IT professionals at these firms will be to implement the standard across the organization.

Baited Hooks

As reported by Elinor Mills at CNET, 15 companies are announcing the establishment of DMARC.org, a name that stands for domain-based message authentication, reporting, and conformance. The participants in DMARC.org range from financial firms, whose customers are prime phishing targets, to technology companies.

Phishers send out emails that identify themselves as being from major firms. These emails can range from the crude to the highly sophisticated, with the company logo and official-sounding language. Typically the email asks recipients to "confirm" their account status by clicking on a link and then entering their account information.

Many consumers are aware that legitimate firms do not send out such emails. Savvy Web users also know mousing over the links will often reveal URLs unrelated to the firm. But many other consumers are unaware of the risks. And because sending out phishing emails has insignificant cost, it has become a widespread exploit. Thus, the significance of the DMARC.org alliance. The new specification will be submitted to the Internet Engineering Task Force for incorporation into Web standards. According to Adam Dawes of Gmail, once in place, the standard will ensure that organizations that have DMARC records "can not be domain spoofed."

Making E-Commerce Safer

The standard will be a boon for every firm that deals with consumers online. Phishing, unlike "Nigerian widow" and other email scams, exploits consumer trust in established firms.

Every successful exploit thus undermines that trust, leaving consumers afraid of any email from a business. Even firms that do not keep sensitive customer account data are potential targets, since phishers can still use the company name and logo.

In the short term, as major firms enter the DMARC system, phishers may increasingly target SMBs and their customers. This should be a strong motivators for IT managers at those firms to push the front office to implement the DMARC standard and protect the company from attacks.

And with any luck, phishing will become a thing of the past.