Protecting your bank from phishing attempts
FRBservices.org's July 15 FED360° newsletter includes an article, "Gone phishing—Tips to help protect your organization from phishing attempts." Phishing is used by threat actors in attempts to acquire sensitive information using a fraudulent solicitation, via email or on a website (or through text messages) in which the fraudster poses as a legitimate business or reputable person. The article offers tips to help protect banks and other organizations from phishing attempts:
- Educate your staff on what phishing is, how to spot it and how/where to report it when it occurs.
- Consider having occasional "testing" phishing exercises.
- Have clear and well documented policies on how to manage phishing attempts to ensure staff respond appropriately
- When possible, use technology to aid in the identification of phishing emails though the classification of internal versus external email sources
- Add warning messages to the header of all incoming emails from external senders, alerting employees to review external messages with extra care
- Maintain contemporary anti-virus and anti-malware scanning software to offer additional protections in the event staff inadvertently click on suspicious links embedded in the body of an email
- Stay on top of the evolving phishing tactics by consulting with your information security staff to monitor trends and adjust internal policies and procedures accordingly
- Restrict or remove email and web browsing on systems routinely used for payments processing