As enterprises migrate to on-demand applications, they are becoming a new and attractive target for phishers. Previously considered a threat for consumers, phishers are now targeting an enterprise’s customer list and using it to launch attacks against the enterprise customer - exploiting the enterprise brand. Many on-demand apps can send email to the enterprise customers on behalf of the enterprise, enabling the malicious email to sneak past most email defenses.

Fortunately for enterprises, there are security measures that can be taken. I co-authored a security bulletin (pdf) that describes the threat and outlines methods to reduce the risk. Strong protection can be achieved by replacing web based authentication with one time tokens generated as a result of the user authenticating using existing enterprise credentials within the enterprise network. Remote users that want convenient access to their on-demand application can use information cards to significantly reduce their risk of being phished. This would be one of the first tangible utilizations of Identity 2.0 technology in an enterprise.

With recent coverage by CNET, Washington Post and eWeek on CRM phishing, it is likely that phishers will become more aware of the many target rich enterprises on the internet, and the number of attacks will mushroom. With the recently published findings have established that brands are damaged when used in phishing attacks, enterprises will hopefully address the issue sooner then later.