Protecting Your Business From the Phishing Scam
Hopefully by now, you've learned how to protect your business from such internet dangers as viruses, worms, Trojan horses and other dastardly computer infections. But many of you may be totally unaware of the latest and greatest Internet plague known as "phishing."
Phishing is the deceptive practice that involves a scam artist-known as a "phisher"-sending out legitimate-looking e-mail messages that appear to be sent by well-known banks, credit card companies, online retailers and even internet service providers. The point is to trick unsuspecting people and businesses into giving out confidential financial data such as passwords, social security numbers and even bank account numbers.
Here's how a typical "phishing expedition" works:
You receive an e-mail that contains a "serious looking" subject line like these:
"Warning: You Must Update Your Account Information Immediately"
"Notice: Your Account Will Be Suspended"
The subject line may even contain the name of a real bank, credit card company or other legitimate business. Once you open the e-mail, you notice that it contains official-looking logos, graphics and other indications that the e-mail is legitimate and has been sent from the actual company named in the e-mail.
The phishing message will then tell you there's a problem with your account or service that requires you to verify certain information such as your password, account code, federal tax ID number or social security number. Or the message will ask you to click over to a website that again contains very official-looking logos and graphics. The text on the website page will similarly ask you to provide confidential information to "verify" your account information.
If you respond to the phishing e-mail or website as requested, you or your business-being the "phish"-will have swallowed the bait. The phisher now has you hooked and can immediately use your confidential information to loot your bank account, run up tremendous charges on your credit cards and, in some cases, engage in complete identity theft.
Before you think that phishing isn't that big a deal, know this: Experts believe phishers are able to dupe as many as 5 percent of the people they send e-mails to, people who fully respond and give up their valuable and confidential information without a moment's hesitation.
So what can you do to prevent phishers from hooking you and your employees?
1. Be sure to alert all your employees who have internet access to be on the lookout for phishing messages. Your employees shouldn't even open the suspect e-mail but rather should immediately report it to the person in charge of technology for your company for further handling.
2. Company policy should require that none of your employees be authorized to give out any confidential or financial information over the internet without first receiving approval from you or someone you've assigned this task to. This policy would cover any "nonroutine" online banking, account or credit card inquiries or transactions that your business may make. Remember, phishers routinely hijack the names of well-known banks and credit card companies to lure people into responding, so employees should suspect even legitimate-looking e-mails.
3. Make sure your internet browser software, your internet security software, your anti-virus software and your anti-spam software is up to date at all times. One particularly nasty phishing expedition occurs when a phisher uses a virus or Trojan horse to install a "key logger" program on your computer which allows the phisher even easier access to your confidential information.
4. Have the person who reviews your bank, credit card and debit statements be on the lookout for any unusual transactions that may be the result of a successful phishing expedition.
If you find out too late that your business was hooked by a phisher, here are some of the actions you should consider taking at once:
1. Immediately contact all your credit and debit card companies, banks and other financial institutions and, if necessary, cancel your existing accounts and open new ones. Remember that your liability for unauthorized use of your credit cards, bank accounts and other financial accounts can depend on how quickly you report the fraud.
2. Depending on just what type of information was given to the phisher, consider contacting the three major credit reporting companies:Experian,Equifax and TransUnion Corporation to explore your options. These may include placing a fraud alert on your file and requesting a free copy of your credit report to check for any unauthorized transactions or accounts.
3. Carefully review all your current account statements and then fax or e-mail a detailed explanation of any suspicious or fraudulent activity to the vendor, bank or credit card company involved.
4. If you know or believe that the fraud is extensive, you should consider contacting local law enforcement to file a criminal report as well as the FBI's Internet Fraud Complaint Center.
Unfortunately, reports of phishing expeditions are on the rise and continue to be a real problem for many banks, credit card companies, online vendors and internet service providers, not to mention their customers. It goes without saying that you and your business should take these and other precautions to be ahead of the curve regarding this latest internet plague.
To paraphrase a once-popular ad, when a phisher drops his well-baited hook in front of your business, you should be prepared to simply say, "Sorry, Charlie."
Note: The information in this column is provided by the author, not Entrepreneur.com. All answers are general in nature, not legal advice and not warranted or guaranteed. Readers are cautioned not to rely on this information. Because laws change over time and in different jurisdictions, it is imperative that you consult an attorney in your area regarding legal matters and an accountant regarding tax matters.