phishhook
cacr logo

apwg logo

i3p


The Indiana University Phishing group, with its multi-faceted set of members, has the competence and knowhow to analyze threat situations and make recommendations for how you should best deal with current threats as well as the likely threats your clients will face tomorrow. Consider the following questions, and let us know if you would want us to review your unique threat situation:

How do you communicate with clients? Are you facilitating phishing attacks by using techniques that can easily be abused -- whether technically or psychologically -- by phishers? If you are communicating by email with your clients, do your messages get stuck in your clients spam filters? Do your clients know the messages are from you, or do they fear that they are inauthentic? Do you authenticate yourself to your clients in an appropriate manner? Are your email templates appropriate from a security point of view? Do you ever request clients to call a toll-free number to respond to needs for information? Whether you do or not, what if an attacker does?

To what extent do you rely on educational measures? What do you assume about your clients? To what extent do your clients follow your recommendations? Do you cause contradictions by requesting that they never respond to unsolicited emails and never click on links, and then send unsolicited emails with clickable links? Can some of your educational efforts be counter-productive, making clients following them by the word more likely to cleverly crafted attacks that are designed with your educational attempts in mind?

Do you benefit from suitable industry collaboration to shield your clients from threats? How can filters against phishing, spam and malware be augmented to provide better and faster protection of clients? What risk assessment measures in place to determine when your clients are under attack? Are you able to single out high-risk users and flag suspicious operations for scrutiny?

What do you do to proactively defend against attacks that are happening to your competitors' clients? What do you do to anticipate what attacks may strike your clients next? What can you do? During times with fewer or less serious attacks, do you consider the problem of phishing no longer a problem, or do you take advantage of the relative peace to prepare for the next wave?

An example of our efforts is available at security-cartoon.com, and the methodology is explained in our recent paper.