Business identity theft needs to be an integral part of an enterprise’s comprehensive fraud detection and prevention program, says FirstGlobal’s Mohr. He suggests a multi-level approach to countering phishers and their data suppliers, including pre-employment and employment screening, ethics and integrity policies, training and awareness programs, an anonymous fraud hotline, employee education, and the creation of fraud investigation teams.
Companies are also banding together to share identity protection strategies. The Anti-Phishing Working Group (APWG) was formed last fall to serve as an information clearinghouse. The group’s 180-plus members include businesses, law enforcement agencies, technology vendors, and financial firms. “It’s a good sign that all the interested parties are joining together to fight this very serious problem,” says eBay’s Durzy.
Many companies are beginning to turn the tables on phishers by acquiring their own technical firepower. While it’s impossible to stop a phisher from stealing a company’s identity, an enterprise can at least take steps to stop phishers, employees, and former employees from breaking into corporate databases and stealing customer information. Companies such as Computer Associates International, Novell, and CoreStreet offer tools that are designed to protect business records. Additionally, by making subtle changes to their Web sites, such as adding digital watermarks, businesses can make it more difficult for phishers to set up direct copies of corporate sites.
Businesses are also starting to get help from software publishers and Internet service providers, which are beginning to offer consumer-targeted anti-phishing tools. EarthLink, for example, recently introduced ScamBlocker, a free program that’s designed to actively prevent its subscribers from disclosing information to phishers. With the software installed, users who click on an E-mail link leading to a known phisher Web site are instead redirected to an EarthLink security site.
Another anti-phishing program, available to users of any Internet service provider, is CoreStreet’s Spoofstick. This browser plug-in displays the real domain name of any site a user visits. So if a user clicks on a genuine eBay link, it will display, “You’re on eBay.com.” Click on a phisher link and the software displays something else — the site’s genuine domain name.
While software may help slow the phishing tide, technology alone isn’t unlikely to eradicate the problem. “There’s not a canned or off-the-shelf solution,” says Accenture’s Santoro. “Going out and buying a piece of software will not fix the problem,” So, like spam and viruses, phishing will probably be around for years to come, perhaps forever. “That’s a disquieting thought,” says Abagnale. “But it’s also a call to action for businesses that cherish and want to safeguard their identities.”
John Edwards is a freelance writer based in Gilbert, Arizona.