One of the defining characteristics of a takedown provider is its ability to detect phishing sites. Through various approaches, takedown vendors have defined their strategies for detection of malicious emails - either building up their own spam traps, pulling data from third-parties like the Anti-Phishing Working Group, partnering with mail service providers, or even acquiring other organizations. While these approaches are often successful, in that they detect a significant number of phishing attacks, they are still incomplete, and often are missing a non-negligible amount of phish.
To close the gap between your takedown providers’ detection methods and the actual number of phishing attacks out there, you should be considering implementing ABF.
What is ABF?
ABF is a simple, easy-to-implement approach to automating the delivery of suspect emails or URLs from your customers to your takedown vendor. Simply set up a mail rule for your customer-facing reporting address (usually a variation of phishing@ or email@example.com) to distribute the email to your vendor, and have them action everything 24/7 as needed. Without ABF, this process is entirely manual - customer emails your abuse box a suspicious message, you have someone at your SOC review the email for phishing content, then manually forward the email (or extract the URL and forward it) to your takedown vendor for action. Additionally, implementation of ABF can help your organization meet FFIEC guidelines on Incident Response.
Every BrandProtect Identity Theft contract comes with ABF included at no extra cost, however some customers have not yet implemented it, for various reasons - some don’t have a fraud-related reporting address (only general “contactus@” type distribution lists), some only get rare reports, and can handle the workload themselves. Currently 90% of BrandProtect Identity Theft customers have ABF in place, with varying levels of complexity - most have taken the approach outlined above, though some have taken extra steps to ensure that customer data is not included in the forwarding. These extra steps include systematically parsing the message and flagging any that contain PII to be manually reviewed prior to forwarding, or extracting the URLs from submitted emails and only forwarding those to the takedown provider.
Regardless of the level of complexity implemented, our customers have seen significantly reduced response times (time between detection to initiating takedown action to successful takedown) to newly-reported phishing sites, as well as freed up internal manpower to focus on other, more pressing tasks than reviewing email. In some cases, these savings equate to an entire FTE, meaning implementation of a mail rule could result in upwards of 75% cost reductions!
Saving you time and money - isn’t that what you pay your takedown partner to do?