Our members are experiencing a high rate of fraud attempts initiated through text messaging scams that cause the member to click a link that takes them to a lookalike domain where they enter their credentials. Outside of training for our members, does anyone have any good suggestions to help mitigate this type of fraud activity?
Sort by:
Mandatory and regular security awareness training that covers text and email links. Also the security folks should regularly do internal exercises text, emails and also telephone calls.
I should clarify that these attacks are not against our org directly. They are against our members (customers for those not in the CU space.)
There are a couple of things in mind,
1)You should investigate how the bad guys have obtained so many of your phone numbers.
2)Assuming it's a managed device (with MDM), deploy Cloud SWG/SSE to block fraudulent links.
3)Work proactively with a threat intelligence company to take down malicious domains, something like https://bfore.ai/.
1. It appears that our entire area code is likely being spammed. It could also be one of the local utility providers had a leak. We have a fairly mature incident response and vendor management program and can't seem to find any correlation between any events we're aware of and the data itself. The trick in small, rural areas is that since all services are "the only game in town", everybody uses them. There's not a good way to correlate. Also, many non-customers are also affected. There just aren't that many people in our area, so if you just start texting numbers in our area code, the chances of hitting on one of our members is about 1 in 10.<br>2. Not a managed device. As these are customer devices, all we can do is recommend garden-variety mitigations through their device OS, recommend filters, etc.<br>3. We do work with RSA for this. Domain takedowns take too long. I will look into bfore.ai. maybe response time would be better. Thank you for that recommendation!
Quarterly/Monthly TEST emails from the Security team to the company. Folks clicking on it receive extra mandatory training. Will help reduce folks clicking on such emails as they have been seeing them monthly from the company and are aware how ti identify them
We do exactly that. The problem is, this is our customer base not our employees. While we do provide training, there's not much we can do but provide guidance.
I would contact all your members via email or mail to tell them how you’ll contact them and what you will ask, and what you will never ask in order to help them identify spam. Admit that fraudsters are doing this to your customers and others, and give them the tools to protect themselves- such as not clicking on the link, logging into their own account or phoning your contact centre.
A longer term solution is to get them to use your app and say you will never text them, you’ll only use notifications
Purchasing al lookalike domains is unlikely to really work