Avoid the hook: Protect your organization against phishing attempts

As a part of the Federal Reserve Banks’ continuing commitment to security, we want to remind our customers of the importance of protecting their organizations against cyberattacks. Organizations should ensure staff receive ongoing training necessary to recognize and report various types of phishing attacks.

Phishing is a technique used by bad actors to acquire sensitive data through a fraudulent solicitation, in email or on a website, in which the offender masquerades as a legitimate business or reputable person. The financial services industry is among the most targeted for phishing attacks and many organizations report daily phishing attempts. Due to the increased shift to remote staff, there has been a marked increase in home devices targeted to maliciously reroute traffic to fraudulent destinations, capturing keystrokes and data and installing malware, which can compromise your organization’s resources.

What can my organization do to project against phishing attacks?

In accordance with Operating Circular 5, FedLine^® customers and their service providers must comply with Federal Reserve Bank security standards. Follow these tips to help protect your organization against phishing attempts:

• Educate your staff on what phishing is, how to spot it and how/where to report it when it occurs.
• Have clear and well documented policies on how to manage phishing attempts to ensure staff respond appropriately. Stay on top of the evolving phishing tactics by consulting with your information security staff to monitor trends and adjust internal policies and procedures accordingly.
• When possible, use technology to aid in the identification of phishing emails though the classification of internal versus external email sources.
• Maintain contemporary anti-virus and anti-malware scanning software to offer additional protections in the event staff inadvertently click on suspicious links in an email.
• Verify unsolicited attachments with the sender using an alternate method to confirm legitimacy.
• Do not share your password – no individual, including technical support contacts, should ask for your password.
• Regularly apply patches, review configurations and ensure proactive monitoring policies of your infrastructure are in place.

Identifying a phishing email

In the past, excessive and/or blatant spelling, grammar and formatting errors were key indicators of a phishing email. However, phishing emails have become more sophisticated in recent years to appear more authentic and professional. Here are some steps you can take to defend against these evolved phishing emails:

• Always look at the sender and email address.
• Pay attention to any external warning banners.
  • Your organization may automatically apply warnings such as “This email has been received from outside the organization. Think before clicking on links, opening attachments or responding.”
• Examine the message content.
  • Does the content of the email make sense? Are there grammatical errors or inconsistencies? Look out for emails that create a sense of urgency and require immediate action using personal information.
• Beware of redirects and login pages.
  • Examine any links in an email by hovering your mouse over them (without clicking). Check that the site is secure by ensuring the web address starts with “https” and not “http”.
• Review the legitimacy of the login page.
  • Checking that a logo and page look “right” is helpful but not foolproof. The bad actors can easily copy and use the actual logo of a company. Also leverage the tips above for reviewing emails to evaluate the login page legitimacy.

Other industry sources recommend the following approaches for mitigating the threats of phishing attacks:

• Routinely educate and train employees, including occasional “testing” phishing exercises.
• Configure email systems to add a warning message to the header of all incoming emails delivered from external senders, which will alert your employees to review external emails with extra scrutiny.
• Restrict or remove email and web browsing on systems routinely used for payments processing.