Phishing attacks should not be kept secret: aeCERT
Communication between companies that have been victims of fraud need to share experiences
Enterprises who have been victims of phishing attacks, particularly in the banking sector, must communicate with each other to combat future attacks and prevent similar security breaches in other companies, said Ali Alamadi, aeCERT incident handler and threat analyst, talking at the IT Matrix Innovations in Online Fraud meeting held at the Al Murooj Rotana this week.
"I am very surprised when I hear that people and different organisations don't communicate information on phishing attacks. Within the banking sector you should communicate together, and we at aeCERT always encourage this. A lot of people think this is confidential, they don't want to talk about it, but don't talk about the details, talk about the experience. We have seen so many banks that have a lot of experience in this field of information security, so they need to give that information to someone else, to the new guys and through their experience learn how they can prevent and be proactive and stop online problems," he said.
According to aeCERT statistics, 56% of phishing attacks in 2010 were on local banks, 39% were on international banks, 1% were attacks on government and 4% were attacks on other businesses or institutions.
aeCERT has been proactive in educating the public and enterprise community about online threats since 2007 and is continuing to try to bring interested communities together to speak and share knowledge about the different phishing problems being seen in different sectors. However, Alamadi said that many businesses see phishing attacks as a blight on their business and believe they are the only ones facing such problems.
This attitude prevents them from learning from attacks on their business and communicating with others in the same sectors.
"People think that it is only their organisation, but everyone is being attacked, nobody can tell you 100% they have not been attacked, as security professionals we know that, but as management they don't know that. They think their organisation is the only one with this problem and no one else is facing it, so there is a gap between security professionals and management, if you can close this gap and tell the management, ‘It is not only you', and let us learn from other attacks, then you can break that gap and try to bring them together," he said.
It is not only enterprises and management that believe phishing attacks on a company are bad for business; there is a lot of misconception by the public, according to Alamadi. The public tend to think that if there is a phishing scam on a banking website, that the bank is the problem.
"We need to tell them that a phishing attack can target any bank, the bank does not have a problem, it is you that has to be aware that a page or site is fake and anybody can create a problem and this is the message we are trying to deliver," said Alamadi.
aeCERT is doing a lot of conferences to bring people together and Alamadi said he recommends people join these to better the responses to phishing attacks and develop strategies to combat such attacks.
"We have a lot of roundtable discussions for different sections and sectors. You can never tell people ‘don't be embarrassed about what happened'; they will hold information to themselves. We try to encourage them to come up and speak and share information and experiences. I hope that this changes with time, but I doubt it will be perfect where everybody shares information, because it affects their reputation," said Alamadi.