Anti-phishing best practices

Anti-phishing recommendations for ISPs and mailbox providers.

A new set of best practices to combat phishing has been released by the Anti-Phishing Working Group (APWG) and Messaging Anti-Abuse Group (MAAWG), to help ISPs and mailbox providers better police their infrastructures and filter the traffic traversing their networks.

The two industry groups joined forces to develop the guidelines, which include:

Two-way filtering of traffic to prevent phishing emails from reaching consumers and to alert ISPs and mailbox providers when their own servers are being used for sending phishing emails.
The use of IP blacklists to close down temporarily servers that have been co-opted for phishing attacks; the use of URL-based filters to help ISPs filter outbound customer traffic to known phishing IP addresses, domains or URLs.
Filtering or rejecting email if it can unequivocally be determined to be forged; disabling images and hyperlinks in email from untrusted sources.
Blocking access to known phishing websites during attacks.

The recommendations also highlight the importance of educating consumers to check for website certificate authenticity before submitting personal information, to report scams to the Federal Trade Commission or equivalent anti-fraud organizations, and alerting financial institutions when they are the target of phishing campaigns.

'Anti-Phishing Best Practices for ISPs and Mailbox Providers' can be downloaded from http://antiphishing.org/reports/bestpracticesforisps.pdf.

01 August 2006

Tags: del.icio.us digg this