How To Reduce Phishing Attacks On Your Business

One of the worst cases of phishing occurred in 2007 where an international phishing ring had a significant impact on two banks stealing account details from thousands of people and transferring about $1.5 million into fake accounts they controlled. It took over two years of FBI investigation to charge over 100 people were behind the attack.

What is phishing?

Phishing is a form of online identity theft that works through the gathering of personal information via deceptive emails and websites, and it is has become increasingly common in the digital age we live in.

In the past phishing attempts were more identifiable with obvious grammatical and spelling mistakes, as well as the message itself being out of the norm whether it was offered inheritance from a relative you never had to assisting a business transaction for an individual you’d never met.

Today, phishing emails are remarkably clever, pulling language straight from official company correspondence, avoiding poor typos and being backed by fake websites that are close replicas of the websites being spoofed. Logos, corporate branding and plausible domains like mycommbank.com or paypa1.com (note the 1) make the sites appear real enough and at times, victims are even directed to the real company websites, only to be presented with a faux pop-up form that captures their personal information.

As a company, how can you avoid becoming a victim of phishing?

It’s difficult for a company to eliminate the threat of a phishing attack entirely. However, you can take several measures to reduce the odds of this occurring. One such measure is to have a defined communications protocol on how employees interact with customers via email. Ensuring all emails and webpages share a consistent visual appearance, greeting customers by their first and last name, and never requesting personal or account information by email are ways to educate and train customers of this communication protocol. This makes it easily identifiable when an email appears out of the norm.

Companies should also rethink how customers interact with their website. Users should not be able to simply open a new account with personal and financial information without some form of email verification that acknowledges transactions as well as using secure logins to access e-commerce forms.

Other methods slowly being adopted include better authentication through RSA tokens, biometrics, one-time passwords and smart cards, all of which make the information phishers capture less valuable. Commonwealth Bank uses a combination of online security, Q&A verification along with a 6-digit SMS one-time code sent directly to a users mobile phone before a transaction is made. This makes it difficult for phishers to replicate the process. Another mid-sized bank recently added encoded data on its magnetic strip that helped authenticate ATM transactions. As the data is not visible to the customer, there is less risk in customers accidentally disclosing it.

Establishing an anti-phishing team and a response plan is also key to preparing for a potential phishing attack. The team should include representatives from most departments including IT, marketing, customer service, legal etc. Then identify the following:

  1. A dedicated email account to which customers can forward any questionable emails to (e.g. fraud@yourcompany.com)
  2. Train your employees and call center staff to recognize a phishing attack and prepare the communication between them and customers if one were to occur.
  3. Prepare a timeline of how and when you plan to notify customers that an attack has occurred. The earlier customers are made aware and educated, the better prepared they can be and the less risk there is of more data being captured by phishers.
  4. Outline who to contact and how to get a phisher site down as quickly as possible, as well contacting law enforcement as soon as possible.
  5. Find and shutdown phishing sites before phishers launch their campaigns. You can outsource this to a fraud alert service, who use technologies to scour the web for unauthorized use of your branding and newly registered domains that contain your company name or are similar to. This gives you added time to counteract a phishing attack.
  6. Worked with Managed Security Service Providers to protect your websites from phishing risks. Our SecureSTREAM solution is designed to prevent websites from becoming compromised to phishers.

In the end, it comes down to preparation and educating your customers about online security. They are the first and last line of defense, so by including them in your solution and following the tips above, you can severely reduce the risk of becoming a phishing target.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *