Attention Business Editors: Security expert recommends low tech approach to phishing

Toronto, December 8, 2005 /PR/ The rising threat of Internet crime has drastically changed the information security landscape in 2005. Companies all over the world are feeling the result as they struggle with the challenge of fighting an anonymous, rapidly spreading threat. In Canada, phishing emails have become frequent, with users reporting them on a daily basis.

According to a 2004 VISA survey, only 16% of Canadians were aware of the threat, yet an estimated 4% or 200,000 email recipients had already been victims of phishing. AOL Canada’s more recent phishing study indicated an even more alarming 12% clickthrough rate, indicating that the threat continues to evolve even as more people are exposed to this type of crime.

Information security expert Claudiu Popa believes that phishing is fundamentally a simple, low-tech problem that demands an equally unsophisticated but adaptable solution: “Phishing attacks are no more sophisticated than your average hoax email. They test people’s trust and abuse it by adding a credible dose of urgency to the mix. Some of the most effective protection measures include spam filtering and digitally signed emails. Most people find it amusing that others can be tricked into submitting confidential details through a fake site, but they fail to realize that social engineering has existed since the beginning of time and it is the key ingredient in many types of crime.”

According to a Gartner study 57 million people have already received phishing emails. Like spam, phishing requires only a minute percentage of compromises to be profitable and with hundreds of thousands of reported victims, the backlash against companies could be significant. Posing as financial companies and e-commerce firms is the easiest, because these firms already have strong brands and established trust. But the resulting brand erosion and loss of market share are only the tip of the iceberg. Phishing attacks and related cybercrime are causing changes in the way companies are run. Internet service providers are seeing increased bandwidth use, added operational costs for filtering technology and an explosion in incident support costs.

“Any company that benefits from the trust of customers, or failed to protect customer records, is a potential target. The days of Paypal phishing emails riddled with typos are over. In the coming year, we will see a variety of new attack strategies including personalized emails, new domain registrations, information aggregation and added sophistication through pharming and dependence on Trojans.” Popa added. “It’s a matter of proper planning, incident response and awareness training, especially within the enterprise where corporate identity theft is a real concern.”

As president of Toronto-based Informatica Corporation, Claudiu Popa has designed the company’s Security Awareness Certification (www.SecurityAwarenessCertification.com) program, designed specifically to educate employees at all levels about evolving information security threats. “The program is designed to establish a realistic baseline of awareness across the enterprise and ensure that everyone works effectively with processes and technology to support information security efforts. Companies without security awareness training programs are seeing higher security costs and more significant security breaches because they do not have the cooperation of their employees. Companies often fail to give their staff enough credit by ignoring or excluding them from security programs, when in fact they should be relied upon to play a critical role. By certifying every employee’s knowledge, companies empower people to close security gaps using little more than common sense and vigilance.”

According to Popa, the reasons for some of the panic we are seeing in the constant flow of phishing news is that criminals are changing their strategy faster than someone can build technology to combat it. Some current strategies include automatic site takedowns, rigid spam rules, and site blocklists. “Desperate measures have no place in security. Our clients use their trusted security partner to intelligently plan defensive strategies and use existing technology that will adapt as the threat evolves over the next eight to twelve months.”

In addition to a successful security awareness program available across Canada, Informatica provides a variety of solutions to combat phishing and social engineering. These are: the executive Anti-Phishing Seminar, Confidential Decision Support and Secure Domain Management. A free corporate anti-phishing policy template and other resources are available from Informatica’s Identity Theft page at: http://www.informaticasecurity.com/anti_phishing_strategies.html.

About Informatica Corporation and InformationSecurityCanada.com

Toronto-based Informatica Corporation is Canada’s information security consulting leader. Over the past 16 years, Informatica has provided consulting, analysis, implementation and training solutions to SME and enterprise clients in diverse sectors. Informatica clients include financial organizations, government, non-profit organizations, services, manufacturing and health organizations. The Informatica group of companies offers diversified security solutions including best-of-breed commercial products, research and analysis, strategy and implementation, corporate training and security awareness certification for all corporate employees. On the web: www.InformationSecurityCanada.com and www.InformaticaEducation.com. A downloadable brochure and white papers are freely available from the Informatica Security Library at http://www.informaticasecurity.com/whitepapers.html

For media enquiries, strategic alliances and more information contact:

Claudiu Popa, CISSP, PMP, CISA
President & CEO, Informatica Corporation
416-431-9012 Claudiu@InformaticaSecurity.com

CO: Informatica Corporation Information Security/Risk Management
ST: Ontario
IN: HTS
SU: