During times of uncertainty, like the current public health emergency, security threats tend to increase to capitalize on the fear that people feel. As a part of the Federal Reserve Banks’ continuing commitment to security, we want to remind our customers of the importance of protecting their organizations against cyberattacks. Your organization should ensure your staff receive ongoing training necessary to recognize and report various types of phishing attacks.

Phishing is a technique used by threat actors in an attempt to acquire sensitive data through a fraudulent solicitation, in email or on a website, in which the perpetrator masquerades as a legitimate business or reputable person. The financial services industry is constantly among the most targeted industries for phishing attacks. Many organizations report daily phishing attempts. It is estimated that over 90% of all successful hacking and data breach incidents originate from phishing attacks. Due to the increased surge of remote staff, there has been a marked increase in home devices targeted to maliciously reroute traffic to fraudulent destinations, capturing keystrokes and data and installing malware, which can compromise your company’s resources.

Your staff must remain constantly vigilant and be continually informed of new emerging phishing scams to avoid becoming a victim.

What can my organization do to protect against phishing attacks?

In accordance with Operating Circular 5, FedLine® customers and their service providers must comply with Federal Reserve Bank security standards. Follow these tips to help protect your organization against phishing attempts:

  • Educate your staff on what phishing is, how to spot it and how/where to report it when it occurs
  • Have clear and well documented policies on how to manage phishing attempts to ensure staff respond appropriately
  • When possible, use technology to aid in the identification of phishing emails though the classification of internal versus external email sources
  • Maintain contemporary anti-virus and anti-malware scanning software to offer additional protections in the event staff inadvertently click on suspicious links embedded in the body of an email
  • Verify unsolicited attachments with the sender using an alternate method to confirm legitimacy
  • Do not share your password - no individual, including technical support contacts, should ask for your password
  • Stay on top of the evolving phishing tactics by consulting with your information security staff to monitor trends and adjust internal policies and procedures accordingly
  • Regularly apply patches, review configurations and ensure proactive monitoring policies of your infrastructure are in place

Other industry sources recommend the following best practices for mitigating the threats of phishing attacks:

  • Routinely educate and train employees, including occasional “testing” phishing exercises
  • Configure email systems to add a warning message to the header of all incoming emails delivered from external senders, which will alert your employees to review external emails with extra scrutiny
  • Restrict or remove email and web browsing on systems routinely used for payments processing
  • Participate in work groups or informational dialogue on the threat landscape for the financial sector and stay informed of recent trends

Action Item:

Make sure your employees are regularly reviewing the security measures your organization has in place to protect against phishing attempts.

SOURCE:

National Institute of Standards and Technology (Off-site)