Phishing attacks continue to be a major concern for organizations and consumers around the country.
It is imperative your institution continues educating your employees and consumers about these types of attacks, so you can all play a role in detecting and preventing these crimes.
What is a phishing attack, exactly?
Phishing Explained Simply
Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity in an electronic communication.
To perform these attacks, cybercriminals craft professional-looking and sounding communications – such as emails, social media messages, text messages, and phone calls – to trick individuals into providing private or financial information.
Click here to watch the webinar recording: Proven Ways to Spot Transaction Risks & Prevent Fraud Attacks
Executives of financial institutions are particularly at risk of being targeted by these cyberattacks, often in the form of “spear phishing” or “whaling” attacks.
Phishing attempts directed at specific individuals or companies have been termed spear phishing. In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success.
The term whaling has been coined for spear phishing attacks directed specifically at senior executives and other high-profile targets. In these cases, the content will be crafted to target an upper manager and the person's role in the company. The content of a whaling attack email may be an executive issue such as a subpoena or customer complaint.
Characteristics of a Phishing Email
- Message is threatening or explicitly urgent (from IRS/FBI/law enforcement, immediate action required, your account will be closed, your credit card has a large charge, etc.)
- Sent from an unusual and/or unrecognizable email address
- Poor spelling and grammar
- Asking for personal information
- You did not initiate the action
- You are asked to send money
- You are asked for personal/confidential information
Common Phishing Emails
- An email that appears to be sent from recipient’s CEO requesting the recipient to facilitate a wire transfer
- An email that appears to be sent from a vendor with banking instructions
- Suspended account email requesting updated personal information
- Locked account alert requesting verification of login credentials
Restart a membership email with a link to click that will cause the installation of malware
It is important you understand these phishing attacks, so you can arm your employees and accountholders with knowledge & tools needed to better detect and prevent these crimes.
So how exactly can you protect against this prevalent risk?
Click here to download our Risk Checklist on Consumer Scam Prevention.
Risk Mitigation
The following are steps your financial institution should take to help detect and prevent exposure to fraud caused by phishing attacks.
- Network to stay informed about trending attacks
- Train your entire staff on what to watch for and what to do to detect & prevent an attack
- Establish an employee simulation program
- Send out mock phishing emails to gauge employee awareness
- Require multiple methods of authentication for accounts and transactions with sensitive information
- Warn and educate accountholders about warning signs for phishing attacks
- Inform accountholders that you would never use outbound communications to receive private information
- Keep current on security tools and software updates
- Install anti-phishing software
- Don’t click or respond to suspicious emails, links, or attachments – ask your employees and accountholders to take the same precautions
- Monitor and audit sensitive banking changes & review reports
- Enact dual controls for processes involving sensitive information
- Set appropriate dollar limits for ACH and wire transfers
- Adopt bond insurance products that will transfer a portion of the risk
Share information about phishing attacks with your employees and accountholders ASAP to arm them with the tools they need to better detect and prevent these types of attacks – so that your financial institution remains protected.