Shostack + Friends Blog Archive


On Phishing

Item: OCC Guidance on Phishing Websites, Ethan Preston writes about

The Office of the Comptroller of the Currency provided guidance for banks on appropriate countermeasures against phishing websites. The guidance provides fairly common sense advice: designate employees to respond to phishing threats, cultivate contacts with the FBI to expedite law enforcement’s response, prepare to identify early warning signs of phishing attacks, gather information about phishing attacks, and prepare to take countermeasures to mitigate the risk phishing attacks.

Item: Last night over beer, B mentioned getting a real copy of a real email being sent to innocent customers. (B works in anti-fraud at an ISP.) The email said “Dear ISP customer, we need you to click this link and reset your password.”

Regular readers will be unsurprised to learn that B needed much beer.

With apologies to Ms. Truss, I would like to propose the number one rule of anti-phishing: “Don’t use email like a stupid person.”

Someone please ask the OCC to add this to their list. Companies invite phishing by sending big complex branded HTML email. Customers should not be asked to make complex decision about email. Which means, “don’t use email like a stupid person.”

2 comments on "On Phishing"

Comments are closed.