“Companies that are concerned about their customers being attacked with phishing scams should CLEARLY and frequently announce or publish their policy on customer communications. My satellite service provider, for example, sends out an Email saying "We will never contact you and ask you for credit card information or account information. If there is a problem with your account you can contact us via the support number listed on our website... etc." according to Marcus Ranum.
Ed Skoudis agrees with that and went into some further detail, defining the following five steps that companies can take to protect their customers and try to ensure they are not targeted by phishing scams:
- Never EVER EVER send unsolicited e-mail to clients asking them for their userID and password, or having them login to the site. They should have a strict policy about this.
- Educate your users about the policy above.
- Make it easy for users to report phishing scams, and work diligently to get phishing sites shut off.
Typically, you can work with the ISP that gives the phishing website Internet connectivity.
- Keep your web application secure. We're starting to see Cross-Site Scripting attacks used in conjunction with phishing, so make sure your XSS defenses are sound.
- A popular attack lately is to direct the user to a legit site, and then pop a frame up on top of that site that belongs to the phisher. Prevent phishers from popping frames up on top of your legit pages to fool users, by incorporating this script at the top of every page you serve:
<script>if(frames){if(top.frames.length>0)
top.location.href=self.location;}</script>
