Question
“Help! Our company has been phished. Scamsters using our logo and a similar e-mail address to redirect our customers to a bogus knock-off of our website, are trying to get our customers to reveal personal information like PIN number and credit card details. Does anyone have any suggestions for how we can stop this? We don’t have the time or resources to fight a major war.”
Reader responses
David Petrie, David Petrie Associates, Bowmanville, Ont.
The most important thing for you to do is to communicate with your customers. I’d suggest a three-pronged approach. First, put an announcement on your website. As much as I hate pop-ups, they’re made for something like this. If that’s too strong for you, at least insert a clearly labeled link from your main page and, if you have a “News” page, you might want to post something there.
Second, do an e-mail blast to all of your customers for whom you have e-mail addresses. Be careful with this, so that it doesn’t appear to their mail servers as spam, because it’s important that the message get through.
Third, everyone in your organization who comes into contact with customers should at least mention the issue.
In all three cases, the message should be the same: ‘You, and we, have been recent victims of a phishing scam. Persons unknown have been sending e-mail to our client list inviting them to a website that appears to be ours, and asking them to provide personal financial details. Please be aware that we would never send e-mail like this, and that you should never provide that kind of information without being ABSOLUTELY SURE that the request is legitimate. If you receive e-mail that appears to be from us asking you for this information, please contact us right away.’
If yours is a large, well-known company, it’s possible that the phishers have just generated random e-mails hoping to catch some of your customers. However, I would consider whether they have gotten a customer e-mail list from you somehow. If this is even a remote possibility, you should review your security policies and those of your Web hosting service. I can envision a couple of things that may have happened.
First, if the information is on your Web server, it may have been hacked. Your hosting company may be able to provide records that will help you determine whether this has happened, and at least identify the offending IP address. The police may be able to take action based on this information (phishing is fraud, and fraud is a crime, after all).
Second, if the information is only on your internal systems, they may have been hacked. If you have firewall protection, you may be able to go through the firewall logs to identify the hacker. If you don’t have any firewall, it’s time to get one. As a minimum, each PC that is connected to the internet should have a software firewall installed. To go further, you can purchase a hardware firewall through which all internet traffic is routed. If you have a broadband router, it should have some kind of elementary firewall — make sure it is enabled.
Third, the hack may be the result of a virus, trojan, worm or some other kind of ‘scumware’. You should ensure that you have an up-to-date antivirus solution and run it on each PC (including servers, if you have them in-house). Also, find a good scumware detection program and run it on each PC. It’s probably a good opportunity to do an audit of what is actually installed on each machine, to pick up any suspect programs.
Fourth, you may have a disgruntled employee who has either provided the information to the phishers or is the phisher him / herself. The software audit may help identify the culprit. Also, visit the offending site, determine the domain name, and do a ‘who is’ lookup on it to see who owns and operates the site. If you keep logs on your mail server, and the problem is an employee, you may also be able to identify e-mail traffic from that individual to those who have been affected.
If you identify the site owners, you may want to contact their hosting company and advise them that they are providing hosting services to a company or individual involved in a phishing scam. Ask them politely to take the site down. Reputable providers should be willing to do this.
Have a question for your fellow entrepreneurs? Send it to Peer-to-Peer.
Watch for another Peer-to-Peer Poll in the next PROFIT-Xtra.
