If you’re not familiar with the term, phishing scams aim to either infect your computer with malware or to steal your personal information, including account passwords.
Scammers accomplish this by sending you emails that often appear legitimate to get you to download a malicious attachment or to click on a link that will prompt you to provide personal or account information.
Savvy internet users often believe they can detect phishing emails—many such attempts are obviously fake and are properly ignored. But scammers are getting smarter, and regularly trick even technology experienced users.
A simple Google News search for “phishing” will provide plenty of recent examples of the damage these scams can cause. More troubling, it has been reported that a new phishing scam is launched every 30 seconds.
Credit unions need to be particularly vigilant when it comes to the dangers of phishing scams, and need to take regular steps to ensure employees don’t fall victim—potentially putting your members’ data and your credit union’s reputation at risk.
Here are three simple steps your credit union can take today.
1. Implement training
Staff must receive regular training and reminders, at least quarterly but possibly monthly, about phishing scams and how to avoid falling prey to them.
Educate employees need about what phishing emails are, and common tricks they use to lure people. They need to be aware that even emails from known senders may be fake or spoofed.
Employees should inspect the actual email address the message came from to ensure it did, in fact, come from that individual. And they should never download attachments or click on links from suspicious messages.
2. Have a standard operating procedure (SOP)
Your credit union should have an SOP to report any suspected or detected phishing emails, especially if an employee believes they inadvertently downloaded an attachment or visited a link from a suspicious email.
For cases where phishing emails include malware downloads, reporting these instances to your information technology department should be swift so it can take proper steps to mitigate the threat.
3. Incorporate multi-factor authentication
When possible, critical systems—particularly those that host sensitive data, including member data—should incorporate multi-factor authentication.
This involves having a secondary required step to authenticate a user before logging into a system. This ensures that, even if an account password is stolen via a phishing scam, the thief would not be able to log into the system with the password alone.
You will need to check with your software vendors or developers to see if this capability is supported, or if the feature can be developed.
While there is no cut-and-dried method to completely avoid the threat of employees falling victim to phishing scams, taking these precautions could help your organization avoid an expensive mistake later.