Secure web gateways and awareness training may protect a bank’s employees against phishing attacks, but those security measures won’t stop customers and partners outside the perimeter from submitting sensitive information to an attacker impersonating a financial institution. These attacks don’t just put people who trust in your brand at risk; they also pose a threat to its reputation in the marketplace. When current and future clients fall victim to a phishing attack leveraging your company’s identity, it is nearly impossible to regain their confidence again afterwards.
True brand and anti-phishing strategies don’t have a silver bullet solution and must extend beyond your financial institution’s walled garden. According to Gartner, “A comprehensive and effective anti-phishing program extends protection beyond the perimeter to detect and eradicate phishing campaigns that abuse corporate brands and names in attacks against customers and members of the public.” Gartner, Inc., Fighting Phishing: Protect Your Brand, Neil Wynne and Andrew Walls, March 17, 2016.
In this post, we will present some key recommendations from our anti-fraud experts and show how the variety of products and services that make up our Total Fraud Protection strategy can help your institution to stay out of danger.
#1: Domain Name and Social Media Monitoring
The more a phishing message seems like it might be legitimate, the more effective it will be at ensnaring your customers. To look official, a fake message must use domain names and social media handles that closely resemble a financial institution’s real brand name and imagery. But ironically, these messages’ close resemblance to the real thing is what also plants the seeds of their destruction. Financial institutions must keep a close eye on domain name registrations and social media profiles so that phishing activity is caught early before customers can be victimized.
Easy Solutions’ Detect Monitoring Service® identifies and keeps track of malicious cousin domains and mentions of your company’s brand on thousands of social media and user-content oriented websites, as well as app stores. In this way, your financial institution will be able to remove sites, profiles and apps imitating your brands before an attack can trick your customers, not after it has already done so.
#2: Monitor Externally for Phishing Campaigns
Monitoring domain name registrations and social media profiles can greatly reduce attack volume, but it’s not a cure-all that makes phishing impossible. Financial institutions should externally monitor for possible threats and breaches so that any incidents are detected and mitigated as swiftly as possible.
Our philosophy is that fraud must be identified and stopped throughout the attack lifecycle, not just when money is removed from an account. Detect Monitoring Service looks for telltale signs of imminent threats such as website scraping to halt attacks that are still in their planning and launching stages. This type of external monitoring has been proven to detect 50% more attacks and remove them in 1/3 the time that our customers had been used to with their previous anti-phishing strategy.
#3: Fight Email Spoofing
Financial institutions ought to stop email spoofing through the implementation of the DMARC (Domain-based Message Authentication, Reporting and Conformance) standard. This protocol, which has been implemented by the world’s largest email providers such as Google, Office365, Hotmail and Yahoo, makes sure that spam emails failing authentication checks will never be received.
Easy Solutions’ DMARC Compass® adds another layer to your anti-phishing strategy by allowing your institution to take full advantage of the DMARC standard. With the solution’s DMARC Compass policy builder, you can detect all the domains sending messages on your behalf, gradually making sure that only authorized addresses are able to deliver legitimate communication. This visibility means that phishing emails spoofing your domains will be completely eliminated, and any sites attempting to send those messages will be removed from the Internet.
#4: Help Customers Tell the Difference Between Legitimate and Fraudulent Communication
Not all anti-phishing measures need to be technical in nature. For example, maintaining a clear and unique voice in all email and social media communication helps to reduce customer vulnerability to attacks by making phishing messages seem pedestrian and bland by comparison. This difference in voice makes phishing messages easier for your customers to filter out, since they are so uncharacteristic of the much more vigorous brand messaging they are accustomed to.
Easy Solutions can help you find and remediate any vulnerabilities in your anti-phishing strategy, technical or otherwise, with our Detect Fraud Assessment service. We measure the gap between your current practices and what’s needed to stay current with the latest cybercriminal trends, providing a complete list of tactical and operational action items to make sure your anti-phishing strategy is totally up-to-date and obstructing all attacks.
#5: Establish Phishing Attack Response Processes
Identifying that an attack is taking place is not enough. Every moment a phishing attack is live is a moment that it’s stealing from your customers. You must have the necessary people and processes in place to quickly take these attacks down. This should include a computer security incident response team (CSIRT) working together with a PR crisis team and corporate legal counsel to coordinate a unified response to any security incident.
Detect Monitoring Service keeps this tense mitigation process simple through speedy notifications and attack removal. Our Security Operations Center (SOC) agents were able to proactively notify customers about phishing attacks 76% of the time, meaning we had already deactivated it before they knew an attack had even launched. In addition, our average attack takedown time of 3.6 hours is six times faster than the industry average, so any phishing site we find is going to up much less time than it otherwise would be, saving you precious money, time and trust.
A strategy that only focuses on phishing threats inside the perimeter will soon be compromised by cybercriminals taking advantage of your less-protected customers and partners. Shut down phishing attacks for good with the multi-faceted Total Fraud Protection strategy from Easy Solutions, which provides the visibility necessary to detect and eliminate attacks even when they are perpetrated in the world beyond your office walls.