How can we protect our customers from getting phishing emails supposedly from our company where they request a bank account change? We have had 3 cases in the last year where our customers pay to a hacker account.
Sort by:
I realize that each organization is different but here at 6 things you can do:
1. Inform and train your customers about phishing attacks and how to spot them. Send frequent emails, social media updates, or blog posts on phishing strategies and warning signals.
2. Establish email authentication: Verify email authenticity using SPF, DKIM, and DMARC. These techniques prohibit domain spoofing targeting your organization.
3. Strong encryption: Encrypt sensitive consumer data in databases or networks to prevent unwanted access.
4. Give clients explicit instructions: Explain how you will manage bank account changes and sensitive information updates. Stress that you would never request such information by email or other insecure ways.
5. Track client accounts: Watch for questionable customer account activity including frequent unsuccessful login attempts or rapid personal information changes.
6 . Assess third-party vendors: Check the security procedures of external service providers that handle client data to verify they follow industry standards.
This is not an easy task to protect our customers from that threat.
First, we have an internal team that 'listen' to the threats. You can report them suspicious emails that link to 'fake websites'. They work with 3rd parties to have these websites being shut down. 24/7...
Second, we often communicate (media, etc.) that we will never ask them sensitive information (SIN, etc.) and no communication from us should contain links.
Third, when accessing a website that appears to be ours, they should pay attention to the security status.
Last but not least, we offer than a protection for cyberfraud.
But it's very hard to prevent such a threat.
We've seen in the past many different tricks to mask hyperlink destination. Replacing 'i' with 'l' in the URL is very basic. But other techniques are far more sophisticated.
It might be because bad actors are actually getting into your team's email logins and sending emails from those. If that is the case, the very best thing you can do, to protect against that and in general to protect your team's emails, is to institute two factor / multifactor authentication, requiring it of all users. That will make it nearly impossible for a bad actor to commandeer one of your email accounts to abuse it.
If the bad actor is sending the email from another email address but "spoofing" the from address (or closely imitating it) it is basically up to email recipients to be suspicious of all emails like tht these days. There are things THEY can do about it, but not much you can do about it.
You could send a general email to those with whom you have such relationjships letting them know that these days such things happen, and that they should be suspicious of any such emails, using the phone to call and verify, for example.
Customer education and making sure your email practices reinforce the education is helpful. From the tech front you should update your DMARC - Domain-based Message Authentication and Conformance settings. This will help protect your emails from spoofing. Its really easy for scammers to find deficient DMARC settings. There are a ton of vendors or your internal IT/IS folks can set this up. good luck
Is the core problem spam emails or customers payments going to hackers?
Technical controls such as Ahmad Kakar mentioned will route spoofed mail allegedly from your company into your client's spam or quarantine folder, if the client has their settings configured properly.
Looking at the issue from another angle, you can notify customers that you will provide out of band communications such as a phone call and/or a hardcopy letter if your company shifts to a new business bank account. Put the message on your web presence and every other communication to your clients. You can market the notice as an increase in security, for a positive spin.