As a part of the Federal Reserve Banks’ continuing commitment to security, we want to remind our customers of the importance of protecting their organizations against cyberattacks. Your organization should ensure your staff receive ongoing training necessary to recognize and report various types of phishing attacks.
Phishing is a technique used by threat actors in an attempt to acquire sensitive data through a fraudulent solicitation, in email or on a website, in which the perpetrator masquerades as a legitimate business or reputable person. The financial services industry is constantly among the most targeted industries for phishing attacks. Many organizations report daily phishing attempts. It is estimated that over 90% of all successful hacking and data breach incidents originate from phishing attacks.
Your staff must remain constantly vigilant and be continually informed of new emerging phishing scams to avoid becoming a victim.
What can my organization do to protect against phishing attacks?
In accordance with Operating Circular 5, FedLine® customers and their service providers must comply with Federal Reserve Bank security standards. Follow these tips to help protect your organization against phishing attempts:
- Educate your staff on what phishing is, how to spot it and how/where to report it when it occurs
- Have clear and well documented policies on how to manage phishing attempts to ensure staff respond appropriately
- When possible, use technology to aid in the identification of phishing emails though the classification of internal versus external email sources
- Maintain contemporary anti-virus and anti-malware scanning software to offer additional protections in the event staff inadvertently click on suspicious links embedded in the body of an email
- Stay on top of the evolving phishing tactics by consulting with your information security staff to monitor trends and adjust internal policies and procedures accordingly
Other industry sources recommend the following best practices for mitigating the threats of phishing attacks:
- Routinely educate and train employees, including occasional “testing” phishing exercises
- Configure email systems to add a warning message to the header of all incoming emails delivered from external senders, which will alert your employees to review external emails with extra scrutiny
- Restrict or remove email and web browsing on systems routinely used for payments processing