|
A comprehensive answer to your question would require much more space than we have here, but there are a few general steps you should take to start. As Rachael Lininger and I detail in our book Phishing: Cutting the Identity Theft Line, the basic areas you need to consider are:
Customer education -- Your customers need to know how to recognize phishing emails, and how to prevent rootkits and keyloggers. They need to know that you will never email requests for account or other private information, like social security numbers. In addition to our book, there are many other sources for useful info on how to harden your customer's PC, including tips and steps right here at SearchSecurityChannel. These could include employing spoofstick-type plug-ins, using a different browser if possible (Firefox rather than IE), disabling active scripting and prompting for cookies.
Organizational education -- Your organization needs to review how it interacts and communicates with its customers; particularly, how it handles email communications and presents itself on the Web. This helps your customers differentiate between appropriate and inappropriate company communications. In email communications this means not including hyperlinks or attachments, not including or asking for personal information, and never using the full name of the user.
Like any rule, of course these will be broken for corporate necessity, but awareness about phishing, its threat and solutions, needs to be continually instilled in your customer's consciousness.
For more information read Chapter 6, Helping your organization avoid phishing, from Russell's book, Phishing: Cutting the Identity Theft Line.
|
