There are a few ways enterprises can prevent the phisher from contacting its employees in the first place.
Standard email anti-SPAM security technologies work fairly well at limiting the number of phishing emails that get through to a potential victim. There are a variety of services, software, and appliances that address this multibillion-dollar market. Just a few of the commercial software and service offerings in this space include
Cloudmark (http://www. cloudmark .com)
McAfee (http://www. mcafee .com)
Microsoft (purchased FrontBridge) (http://www.microsoft.com/exchange/services)
MX Logic (http://www.mxlogic.com/)
Sophos (http://www. sophos .com)
Symantec (http://www. symantec .com)
Trend Micro (http://www.trendmicro.com)
As we covered in the previous chapter, SPIT is a social issue that enterprises have limited ability to affect. Some solutions are the responsibility of the larger VoIP (and SIP) community. If the VoIP community does not work together to address SPIT before it is a big issue, enterprises will be forced to adopt "traditional" mitigation strategies, which are expected to be similar to those adopted for other voice security issues and/or email SPAM. Some of the countermeasures the VoIP community and enterprises can take are discussed at the end of the previous chapter and include measures such as authenticated identity, enterprise SPIT filters, black and white lists, and audio content filtering.
Besides user education, there's really not much an enterprise can do to prevent its users from calling a malicious IVR phishing system. The most obvious advice for end users is to always confirm the number of your financial institution before calling them. You can find their number either on the back of your credit card or on the financial institution's website. In an enterprise setting, you might at some point see managed VoIP services start to blacklist potentially unsafe or forbidden outgoing phone numbers as a response, much like web proxy service offerings today. Today, some VoIP and traditional phone management systems have a call admission control policy, which customers can generally use to block bad numbers. To do so, you can create a rule with a group containing the bad numbers . Administrators can then add the new phishing phone number, so that gullible users are not able to call the number.