Don’t Get ‘Hooked’
Phishers are starting to focus their attacks on higher ed
institutions. Here’s how to bolster your line of defense.
- By Wendy Chretien
IT’S TEMPTING TO BELIEVE that the phenomenon
known as phishing is not a big deal in the education environment.
After all, isn’t it targeted at individual consumers
using the Net? Unfortunately, this isn’t the case anymore.
To step back for a moment, a definition of phishing might
be helpful. Phishing is an attempt to hoodwink a user into
providing confidential information via the Net. Until recently,
it has mostly been in the form of e-mail “urgent notices”
that appear to be from an organization the consumer uses
(such as a bank), with instructions to click on a link and
provide some missing or incorrect information. Such info
may include Social Security numbers and other identifying
data. Yet of course, the link is not to the real organization’s
Web site, but a replica thereof. And the information input
by the unsuspecting user can be used to steal his/her
identity. Some big-time phishers sell this personal information
to other criminals who have organizations that more
effectively and quickly exploit it.
So why should higher ed institutions worry about this?
What threat d'es phishing pose? Simply put, the phishers
are getting more focused. Some are now able to make it
look as though an e-mail is coming from within your own
organization, and may pose as someone in the Student
Records office or IT. The message may have a key logging
program attached, which can capture the user’s password.
The next step is to “become” that user and gain access at
his/her level of authorization. Imagine the implications if the
phished user is a supervisor in Accounts Receivable!
Indeed, these types of attacks targeted at specific organizations,
also known as “spear phishing,” are beginning to
be reported by higher education institutions, including
the University of Kentucky (as reported in “Threat
Alert: Spear Phishing,” PC World, Nov. 2005). The federal
government (especially the Federal Trade Commission)
is starting to respond to the threat, yet as we might
surmise, this isn’t going to prevent phishing from happening
but, rather, it will set prosecution of the perpetrators
in motion—after an attack has run its course. It’s
up to us to take preventative measures.
You Can Prevent Phishing
Since phishing is a form of social engineering—dependent
upon the manipulation of legitimate users—the first
line of defense is your users. You need to educate them
that their response to a message seeking private information
should be to 1) not respond to the message, and
2) use a separate e-mail or make a call to the person
from whom the message appears to originate, verifying
the validity of the request. If users discover a message
is false, their next step should be to report it to the IT
are now targeting
ASPs Postini and
The second line of defense lies in preventative solutions.
Because phishing is a form of spam, your current
anti-spam measures should minimize phishers’ access
to your users. One example is Florida Coastal School
of Law, with a student enrollment of approximately
1,200. This relatively young institution (founded 1995)
used assistance from CDW-G to help it
select an anti-spam solution. The school ultimately implemented
Postini (www.postini.com), an application service
provider (ASP) for e-mail services. FCSL has had this service
in place for about eight months, and it is “catching a phenomenal
amount of spam,” according to Allen Smith, the
school’s director of Information Technology. Prior to Postini,
FCSL used the Microsoft Exchange
Intelligent Messaging Filter (IMF), but had to turn it off
because it caught too many legitimate e-mails, even set at the
least sensitive level. In fairness to IMF, Smith notes that a law
school deals with content that would in other cases be considered
highly “filterable.” Nevertheless, this issue has been
resolved with the Postini service. As part of the setup, FCSL
provided Postini with its e-mail records and IP addresses.
Then the college staff spent the necessary time to learn to
use and configure the service properly. While the Web interface
is very user friendly, it also has great depth, Smith
reports, so there was a significant learning curve. FCSL’s
cost for the Postini service is $32,000 per year.
Some anti-spam vendors are now releasing
products or updates that specifically target the
phishing threat. These include (in no particular
order) McAfee’s SpamKiller,
Identity Cues from Green Armor Solutions, and Cloudmark solutions. Then there are the
hosted solutions like Postini and MarkMonitor, the latter of which features
an Anti-Fraud Operations Center that
proactively pursues phishing sites and shuts
The bad guys keep adapting to risk avoidance
techniques, so consider your vulnerabilities and
phishing prevention options carefully. But for
your users’ sakes, don’t let “analysis paralysis”
postpone an implementation for long. They need
your help now to avoid being hooked (and gutted)
by the phishers.