Phishing attacks, despite their long history, continue to be one of the greatest threats to data security. More than 200,000 new viruses are discovered every day, according to malware experts, and they’re usually out of circulation by the time they’re detected.

So how does an organization protect data from vicious phishing and spear-phishing attacks?

Here’s a comprehensive data loss protection plan:

1) Protect your organization’s computers. Shop for the newest software that provides spam filters, firewalls, anti-virus, anti-spyware and reputation services. Look for data protection programs that offer automatic updates and free patches from manufacturers to fix problems.

2) Consider hiring a vendor that specializes in software data security. Data security firms can go beyond traditional data protection programs and conduct audits to determine your risk for phishing and data breach. They can isolate emails that have been quarantined and scan outbound emails to see if any data has been extracted outside of your organization. As experts, they can also provide technical support with the latest email data security technology. Be careful, however, not to overlap your own software with that provided by the vendor or you may be spending too much.

3) Educate your computer users. Data security software is far from full proof so perhaps the most important cyber security strategy is to keep educating your users. Remind them:

• To be suspicious of emails with generic salutations, typos or those that try to create a sense of urgency.
•  Not to open attachments they aren’t expecting. If the attachment looks legitimate, ask your users to call the person to verify that they really did send it.
• To be wary of email links. Instead of clicking on the link, users may want to visit the website manually by typing the address into their browser. They can also check a link by hovering their mouse over it to see where it came from.

Just as technology is continuously evolving, so are the wily ways in which fraudsters circumvent the safeguards for changing technologies.  Symantec’s study Internet Security Threat Report offers a review of where cyber thieves are finding new opportunities and, accordingly, where experts believe the thorniest security trouble spots lie.

According to Symantec, here are the top five threats to beware of:

1. Targeted attacks continue to evolve.  While targeted attacks on the large infrastructures of corporations are attempted almost every day, companies are increasingly being attacked to specifically gain access to their intellectual property.  A prominent example of this would be last year’s “Hydraq” attack on Google, a suspected politically motivated attack to steal sensitive information from Gmail accounts, which prompted Google to threaten to pull its operations out of China.  Given that this attack wouldn’t have been successful without convincing recipients that links and attachments in an email were from a known source, the lesson for future attackers is that the biggest security vulnerability to exploit is our trust of friends and colleagues.

2. Social networks + social engineering = compromise.  Hackers are getting better at learning who we are through social media outlets and posing as friends.  So-called social engineering attacks are becoming more sophisticated and harder to detect.

3. Hide and seek (zero-day vulnerabilities and rootkits).  In order to be successful, targeted attacks must penetrate an organization and remain undetected for as long as possible.  So-called “zero day vulnerabilities” help hackers maintain a game of hide and seek.  Zero days occur when a hacker discovers (and exploits) a security vulnerability in a software program before the program’s engineers do, although some believe that the fear of these vulnerabilities as a basis for attacks are worse than the reality.  Rootkits, software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications, are also helpful in keeping hackers undetected.

4. Attack kits get a caffeine boost.  Hackers are profiting on security vulnerabilities by packaging their discoveries into easily downloadable attack kits that are sold in the underground fraud economy.  Symantec believes that these kits played a role in creating over 286 million variants of malware last year.

5. Mobile threats increase.  With the explosive usage of smart phones and other mobile devices, hackers are naturally becoming ever more drawn to this territory as a platform for fraud.   Sophisticated operating systems mean that vulnerabilities are plentiful, and Trojans hidden in legitimate applications sold on app stores offer an effective means to multiply the damage.

Fraudsters will never stop finding ways to capitalize on security weaknesses and wreak havoc on privacy and bottom lines, which is why every business should work with security experts to stay ahead of these threats.

Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC).

The number of breaches reported so far in 2011 is down from 2010, yet 2011 is still considered by many to be yet another “Year of the Breach”.    Several high profile events throughout the year have kept the spotlight on the issue of data exposures, especially those where millions of consumers information was obtained by malicious hackers.  Although the information involved, emails and passwords, does not rise to the level of a “personal identifying information” (PII) breach, it is definitely troubling that such a large number of consumers may become targets of phishing and related attacks, which do attempt to get consumers PII.

More and more entities are now tracking data breach occurrences by:

• Industry sectors (categories): Business, educational, government, medical, financial
• Breach “type” (method of access): hacking, insider, portable device (“data on the move”), accidental exposure, subcontractor, and lost or stolen.  In some cases, discarded paper documents.
• various attributes: paper or electronic, encrypted, password-protected, number of records unknown or published

While most definitions and terms are relatively consistent between these monitoring sources, there are some notable differences.  Differing filters applied by each monitoring entity as to what qualifies as a data breach on any given list create some divergence in comparison of breach lists.  These filters may range from whether the incident involves specific types of exposed PII to whether a designated minimum number of records have been compromised (i.e. 10 or 500 minimum).

Often it is how a “record” is defined that yields the greatest disparity in determining the number of “records” exposed.  Many breach analysts consider “records” to those persons whose sensitive personal identifying information (PII), such as Social Security numbers, debit or credit card numbers, financial account numbers, medical record numbers, and driver’s license or state identification numbers have been exposed.  How then, does one then account for compromised non-PII information, such as email addresses, user names, or other non-financial account information?

Many hacking incidents this past year didn’t target personal identifying information, but instead focused on emails addresses, passwords and other pieces of non-sensitive personal information.   The challenge for many who analyze breach incident statistics is how to “quantify” the number of breached records that do not involve PII.  Should emails and passwords be counted as “records” in the same way as Social Security numbers and financial account numbers?   As of now, most state laws do not include non-sensitive personal information as triggers for breach notification therefore there is no obligation to report the incident.

“The law only requires that an entity notify those who had sensitive information compromised, like Social Security numbers,” says Lisa Sotto, a managing partner for New York-based law firm Hunton & Williams, in a recent interview with BankInfoSecurity.   “But now we know other things, like e-mail addresses, can lead to compromise through social engineering and phishing.

The challenge then for the incidence response team is determining if a breach notification is required.  If so, “what happened?”, “who needs to be notified”, “what specifics are required?”, “when do we do it?”, “how did it happen?”, and “what have we done to make sure it won’t happen again?”  The answers to these questions should all be part of an established Breach Response Plan.  Other pieces of this plan should include best practice protocols, procedures, corporate training guidelines and employee education.  In addition, an organizational ethic must be created so that all employees realize the importance of protecting personal information.  A corporate environment must be maintained which fosters and strengthens information security awareness at all levels of the organization.

Another important issue to consider in your company’s incident response plan is whether it is in the best interest of the company to report a data breach incident when there is no legal obligation to do so.  Under these circumstances, it is critical that the response team identify the best notification and crisis management tactics before a breach ever occurs.   Those companies with strong incident response plans are able to react more quickly and accurately, prevent further data loss (and potential fines), and present factual reporting to the public that minimizes customer backlash and negative publicity.

It seems as though every day the news headlines trumpet another high-profile data breach.  The most recent marquee breach is courtesy of a Sony PlayStation Network hacker, whose attack on the Sony and Qriocity servers between April 17th and 19th have compromised the personal data and, possibly, stored credit card information of 77 million players.  (Yes, you read that right; 77 million.)  Combine that with other recent cyber-heists affecting millions of unsuspecting consumers or residents, and many organizations have been forced to send out a dizzying array of email notifications to their customer base, many – if not all – of whom are now vulnerable to spear-phishing attacks.

With numerous different breaches affecting so many people as of late, millions of consumers are receiving emails from trusted brands noting that customer emails (and perhaps other information) have been compromised, so consumers should be wary of future emails that may appear to be sent from them…like the one they’re reading now.

Got that?

This begs the question of whether customers are starting to tune out to the onslaught of breach alerts flooding their email in-boxes.

Some security gurus believe that notifications aren’t effective and customers become numb to these alerts.  Others are convinced that breach information overload is a good thing, educating people to the dangers lurking in the cybershadows and their vulnerability to identity thieves.  After all, how do you know to watch out for email “bait” if you’re not aware there’s a phishing hook with your name on it?

Furthermore, the flip side of over-notification is under-notification.  This is something that Sony is now being accused of in a lawsuit that claims the company waited too long to notify its PlayStation customers of the recent breach, which only exacerbated customer vulnerability to credit card fraud.

The irony is that while the dramatic breaches of late have been stealing headlines (as well as data), a 2011 Data Breaches Investigations Report by Verizon indicates that total thefts from data breaches have in fact declined significantly over the past few years.  The total number of records actually compromised from these breaches was a “mere” 4 million in 2010, quite a drop from the 144 million records compromised in 2009, and the 361 million compromised records in 2008.  The bad news?  If you look at actual data breaches versus compromised records, the numbers this year are up; 760 breaches last year, an increase from 141 in 2009.

The bottom line: while fraudsters haven’t been able to recently score as much cyber-loot as in times past, this is no time to relax.  Just be aware that with the steep increase in breaches comes an equally steep increase in breach notifications, and the associated risk that breach notification fatigue will put your customers to sleep.

As if there wasn’t already enough to look forward to at tax time, throw another fun fact on the pile: fraudsters go into overdrive this time of year.  Amidst the busy hubbub, with distracted taxpayers firing off a flurry of sensitive information through what is sometimes less than secure means; tax season might as well be Christmas for scam artists grabbing the “gifts” of stolen identities and other sensitive data.

More than 1500 tax scams reportedly target consumers and businesses through hundreds of thousands of scam emails; many use phishing to fool anxious taxpayers into visiting a scam website or providing personal and financial data in order to comply with tax filings.  Some scams specifically target businesses, for example several popular scams specifically directed at medical professionals.  Protecting yourself starts by getting smart about common scams and the rules of the road – such as the fact that the IRS never requests sensitive information online.

A recent survey conducted by Impulse Research Group for Experian ProtectMyID^TM, illustrates the general lack of awareness about this vulnerable time for data theft.  Forty-eight percent of respondents admit that they store their tax documents in an unsecure place, and 89% of those who use a tax professional or service are not concerned about their accountant losing their financial information.

The survey developed some key cautionary tips based on their survey, which consumers and businesses would be wise to follow as they face the hazards of tax time:

• Enjoy the convenience of filing online, but don’t forget to protect your financial security through up to date antivirus settings, deleted cookies after submission, and due diligence about the security of any online tax service.
• Don’t think you’re safe just because you’re filing by hard copy; make sure you send all tax documents by Certified Mail and store tax documents in a secure, locked place.  Shred any unneeded documents.
• Don’t assume that using an accountant protects you from identity theft; make sure that your accountant is taking the same precautions to protect your data that you should on your own.

During this time when fraudsters are in full force, just remember to remain vigilant about keeping your most sensitive data out of the hands of anyone besides your tax advisers and Uncle Sam.

You can also find more information about tax related business and consumer identity theft on the Experian® Data Breach Resolution website.

In the first of our ongoing series on scams to beware of, we call your attention to a con that leverages the trusted names of FedEx and UPS to rip off your business and customers.

The fraud works a couple of ways:

Scenario #1: Your customers are asked to click on an attachment with details of an alleged shipment.  Rather than any package, your customers receive a virus.

Scenario #2: Fraudsters get a hold of your UPS or FedEx accounts and then use this information to wreak havoc on your business and customers.  It’s not too difficult to access account information; in the case of UPS, account numbers are printed right on the shipping label.  Alternatively, thieves can hack into your company databases, or – if they’re an employee – simply find this information by employers who often freely distribute shipping account data.  Crooks then use the accounts to ship drugs and stolen products throughout the country, or send out fake advance payment checks to your customers, who are asked to first wire money as a part of the process.

The Chicago Tribune has reported a national increase in this scam, and notes that although UPS and FedEx work hard to investigate all fraud complaints and reimburse consumers, law enforcement officials tend not to investigate these crimes because they’re difficult to solve and often don’t involve high enough amounts of cash to make it worth their while.  Further, companies often don’t even realize they’ve been scammed if they don’t closely monitor their account records.  In the end, the loss of profits, consumer confidence, and employee productivity to repair the damage make these scams a huge headache for business owners.

What can businesses do to protect themselves?

1.      Carefully guard your shipping account information and be careful about how this sensitive data is handled.

2.      Keep close track of your accounts with your shipping vendors.

3.      Alert customers when there’s been a breach so they understand how to be on the lookout for future scams.

With some precautions, your business can safely navigate through hazardous shipping channels without fear of data piracy.

Mobile devices are important tools to efficiently manage a business and to quickly meet the needs of a customer.  Think about the hit in productivity you’d take if you lost your smart phone or PDA.  Several weeks ago I wrote about the importance of implementing a wireless data policy to protect employee account data from being used to defraud a company.  However, a recent warning issued by the FBI’s Internet Crime Complain Center points to another danger associated with mobile devices.

Cybercriminals have been increasing their attacks on mobile devices through SMS text messages and fraudulent voice messages.  These tactics are very similar to traditional email phishing scams and ask the recipient to respond to verify an address, credit card number or other form of PII.  For example, through a process called smishing, a mobile subscriber receives a text message stating, “ABC credit card is confirming your purchase” and asks the user to visit a URL or call a phone number to verify a credit card number.

Obviously these attacks have serious implications for employees on a personal and professional level.  The financial impact to a company could be huge if an employee innocently provided a corporate bank account number as a response to a fraudulent SMS text message.

Fortunately, there are several steps employees can take to prevent the chance of becoming a victim. For example, you can advise employees not to respond to text messages or automated voice messages from unknown or blocked numbers.

Advise your employees about these potential dangers before any damages are done.

Hopefully very few us have fallen victim to a phishing scam, but we’ve come across these scams or heard about them in the media. Fortunately, because of this awareness, less than 1% of customers are being foiled by these nefarious attempts, according to a recent report that focused on customers of major US and European banks. However, of those who were lured to these phishing sites, 45% entered in their personal information that resulted in up to $9.4 million in losses.

Phishing attacks are on the rise.  According to a Panda Security investigation, scammers are creating 57,000 fake websites a week to falsely represent 375 popular brand names. As you can imagine, this large volume of phishing scams has serious implications for businesses as they strive to shield sensitive data from data breach and protect their customers from misrepresentations of their business.

A recent study by SpamTitan found that 75% of IT managers responded that the biggest source of phishing attempts for business users is email spam. An employee may receive an email that appears to be from a legitimate source requesting personal or sensitive business information.  When the employee clicks the link, that action may trigger the download of malware that could access or destroy sensitive data.  As phishing attacks present a clear danger to businesses, it is very important that company leadership establishes and implements strict network security measures to filter spam.

Another effective tool to fight phishing is to know the facts and educate the workforce of how avoid falling victim to these scams.