Does Your Institution Have an Anti-Phishing Strategy?

Maybe you’ve been one of the lucky individuals who has received a text or email recently, allegedly from your bank, letting you know that some strange activity has occurred on your account. If you would just provide your account number, they can help you resolve the issue.

This is the classic example of phishing, and hopefully, you didn’t bite.

Phishing for Funds

According to an FBI press release, there has been an increase in business email compromise (BEC) that “targets anyone who performs legitimate funds transfers” since the pandemic. They warn that phishing attempts have greatly increased since the start of the COVID-19 pandemic.

Don’t think you’d ever fall for it? Think again. These fraudsters can be super convincing. A typical scam usually involves an email from a company your business may have prior transactions with, but this email will request funds be sent to a new or account or alters the standard payment practices.

Recent examples of BEC victims include:

• A financial institution received an email allegedly from the CEO of a company, who had previously scheduled a transfer of $1 million, requesting that the transfer date be moved up and the recipient account be changed “due to the Coronavirus outbreak and quarantine processes and precautions.” The email address used by the fraudsters was almost identical to the CEO’s actual email address with only one letter changed.
• A bank customer was emailed by someone claiming to be one of the customer’s clients in China. The client requested that all invoice payments be changed to a different bank because their regular bank accounts were inaccessible due to “Corona Virus audits.” The victim sent several wires to the new bank account for a significant loss before discovering the fraud.

The results of these successful hacks meant big losses for the companies.

Ways to Spot Phishing

The Federal Trade Commission provides some great tips on how to spot phishing attempts, such as looking for key words, phrases, or links that could suggest a phishing email, such as:

• say they’ve noticed some suspicious activity or log-in attempts
• claim there’s a problem with your account or your payment information
• say you must confirm some personal information
• include a fake invoice
• want you to click on a link to make a payment
• say you’re eligible to register for a government refund
• offer a coupon for free stuff

Implementing a Strategy

Every financial institution should have a strategy to help educate their customers to understand when an email or text is legitimately from them, and when customers should think before clicking.

The American Bankers Association is offering a comprehensive anti-phishing campaign called #BanksNeverAskThat. It requires an ABA number to register, but even if your institution does not have an ABA number, you may still be able to take advantage of their toolkit and campaign website.

Also review the tips offered by the Federal Trade Commission, which also provides information on how to report phishing attempts:

How to recognize and Avoid Phishing Scams

A well-thought-out campaign by your institution notifying your customers what to look out for may be very beneficial during this