SAN FRANCISCO – TRUSTe, an online privacy non-profit organization, and professional services firm Ernst & Young LLP have teamed up to release a guide entitled "How Not To Look Like a Phish" to help minimize phishing attacks. Phishing is the criminal act of posing as a legitimate business via digital communications to extract information such as social security numbers, credit card numbers and account numbers at financial institutions. A recent TRUSTe/Ponemon Institute study finds that 76% of respondents said they believe businesses bear the burden of educating the public on phishing protection, and 64% added that it is unacceptable for organizations to remain silent on the issue. Designed to help businesses rebuild the public's trust in online communication channels, the guide recommends best practices, including eliminating pop-ups, instant message and e-mail as tools for collecting information and removing cross-site scripting from a company's Web site. "This burgeoning threat is not only putting the finances of individuals and businesses at risk, but also undermining the basic trust that makes e-commerce and digital communication possible," said TRUSTe Director Fran Maier. "Most anti-phishing advice emphasizes the ways individuals can identify and avoid fraud, but businesses also must make it easier for their customers to distinguish legitimate from fraudulent online communications. This threat must be addressed as soon as possible by every company using online customer service." "Companies need to avoid communicating with customers in ways that can be easily replicated by phishers," added Brian Tretick, a principal with the Technology Solutions and Risk Services group of Ernst & Young LLP. "In addition, companies must have a clear domain name strategy that makes it difficult for copycat Web sites to exist, and steps need to be taken to eliminate any application security flaws that may allow malicious hackers to hijack your own Web site addresses." The top recommendations from the guide include the following practices: 1) Eliminate using instant message and e-mail to collect information, unless the contact is initiated by the customer. 2) Never use an urgent, threatening, or time-sensitive tone. 3) Explicitly spell out Web site links and keep the links as straightforward and descriptive as possible. Don't hypertext words like "click here" that are commonly used to mask false Web site addresses. 4) Personalize customer e-mail with non-threatening personal data like a first name so recipients know that the e-mail is coming from a company that knows them. 5) Direct customers to respond via your main home page as much as possible. 6) Protect your name by checking for unauthorized Web sites that use variations of your company name. 7) Authenticate your Web sites using digital certificates. 8) Be clear in communicating your anti-phishing strategy to customers. For more information visit www.truste.com