Skip nav

Phishing - Don’t take the Bait!

Whitepaper from ESET takes a deeper look at phishing

Bournemouth, UK (23rd August 2007) – ESET announced today its latest whitepaper “A Pretty Kettle of Phish”, which looks at how one of the most popular tactics used by criminals today has developed, and what organisations and individuals can do to protect themselves.

The whitepaper’s authors, Andrew Lee and David Harley, note that phishing gangs now operate a complex infrastructure that closely resembles any other supply and demand economy, with different departments responsible for all aspects of the business. This includes the completion of the phishing economy cycle through the purchase of legitimate goods with stolen credit cards and selling them on through spam emails. One manifestation of these money laundering activities is the mule solicitation emails that offer “financial management” jobs, which are nothing more than receiving money and passing on further up the chain, after taking a percentage as commission.

The authors highlight that bad practice by legitimate organisations, such as unnecessary URL redirects to completely different domains, adds to user confusion and plays into the hands of criminals. In addition, the white paper points out that phishing quizzes, often used to educate users, can be inadequate or misleading in their attempt to point out what should be considered as ‘suspicious’; bewildering users further.

“Too often in security we see a problem exacerbated by well-meant, but ill-founded advice from a wide range of sources,” says Andrew Lee CRO of ESET and co-author of the whitepaper. “There is still confusion in abundance about the nature of phishing, but correct user education can be a great defence. Protecting individual employees against phishing may not come under the label of duty of care, but helping to prevent it allows companies to avoid the complications that can ensue when an employee is defrauded.”

As the whitepaper concludes, there is no better defence against a threat founded on social engineering and psychological manipulation than the dispelling of ignorance.

In addition, hints and useful references are given throughout the whitepaper to help further education. Although they do not guarantee to prevent a user from becoming a victim, following them will help to reduce the risk.

Top tips include:

• Create an email address for each specific banking account eg: Use that address exclusively for that activity, never publishing it anywhere or using it to send email. This will provide an easy way of checking that it was sent to you at a correct address. If it is not used in correspondence, regard the email as highly suspicious.

• Don’t be intimidated by message headers, learn to read the basics. If the mail is not addressed to anyone it was blind copied to you and many others, do not trust it. If is just addressed to ‘customer’ and contains sensitive information such as banking data, it suggests an inappropriate lack of personalisation.

• If you receive an email and you do have an account with the institution, but the message is not addressed using your own name or a specific identifier such as a verifiable account number, regard it as highly suspicious. If the identifier is your email address, that is still suspicious. It is trivial to insert the email address into the message. Assume that it is not genuine.

• Even when an email looks genuine, do not click on embedded URLs. If a relationship with the organisation exists you should already have a standard login procedure, use that. If you need to contact them by phone, avoid using phone numbers included in the message. Just as web sites can be spoofed, so can telephone numbers.

• Often phishing emails are sent with the notice that urgent resolution is required. There really isn’t any reason you should need to respond to a request within 24hrs – even utility companies give you seven days notice before they cut you off. It also works to the advantage of the phisher, who often needs an urgent response before law enforcement and other countermeasures are put into place. Just hit the delete key.

The whitepaper is available to download at


About ESET

Founded in 1992, ESET is a global provider of security software for enterprises and consumers. ESET’s award-winning, Anti-Threat software system, NOD32, provides realtime protection from known and unknown viruses, spyware and other malware. NOD32 offers the smallest, fastest and most advanced protection available, with more Virus Bulletin 100% Awards than any other antivirus product. ESET was named in Deloitte’s Technology Fast 500 five years running, and has an extensive partner network including Canon, Dell and Microsoft.

ESET is headquartered in Bratislava, SK; and is represented worldwide in more than 100 countries. For more information, please visit or call 0845 838 0832.

PR Contact:

Sara Claridge
Marylebone Media Relations
+44 (0) 870 766 8482
+44 (0) 7968 626838 (mobile)