Avoiding Email and Phishing Fraud
“Phishing” is defined as an attempt to misappropriate useful financial or systems information, such as account numbers, user IDs or passwords by masquerading as a trusted business partner or authority. These communications, also known as “social engineering,” can come in many forms in addition to email, such as direct phone calls, regular mail or bulletins. Many of us have received compelling emails that are a call to action, a necessary update to a user profile, password or some other values.
Significant caution needs to be applied in these situations. Security experts widely agree that the human element is often the weakest link in your company’s security chain. People are generally predisposed to politeness, and showing their social etiquette or compliance, will respond to an implied authority. Scammers, thieves and hackers are relying upon that fact to build their attack on your company assets. Some questions or requests may seem benign on their own, but may be a crucial fragment of data needed to complete an attack.
Here are some tips that can harden the protective layer of security around your assets.
- Your banks and trading partners characteristically do not ask for passwords, IDs or “click this link to update your profile” requests by email. If you receive one, immediately assume it is fraudulent. Call your known contact at the sender's organization to validate the legitimacy of the communication asking for profile or security “updates.” Do not use the number or any other contact information in the request. Find contact information from your phone list or from someone you know and trust.
- DO NOT CLICK ANY LINKS IN UNEXPECTED EMAILS. The links in the email may contain downloadable malware, which takes advantage of file viewers or other software that may have security holes. Malware can include the installation of keyboard loggers, remote control malware, and other phishing tools on your device.
- Follow the update guidelines for your anti-virus and firewall security software and keep it current.
- While the email address shown might be email@example.com, the link behind can be viewed as scammer@untraceable_pirate_server.bad or its equivalent. You do not need to risk your machine (or company) by sleuthing the email contents. Most company IT departments have guidance for unexpected or unwanted emails which generally advises you to “not open” and/or delete the suspect email. Do not forward untrustworthy emails unless you have been instructed to do so to a designated address by your IT security owner.
- Do not reply to unexpected or unwanted emails. Do not provide any information to an unknown requester no matter how seemingly benign.
- Do not call the phone numbers or send faxes to parties shown in the suspicious communication.
Similar rules apply to phone calls that solicit any information related to accounts, passwords, and systems. Ask the party for their call back information. However, always call the party back at previously known and trusted numbers before proceeding. The number that you are given might look like a legitimate 800 number, but it may go directly to the scammer. If you do not know the person or company, escalate the request to your manager or a trusted system authority.
Fraud is an arms race between your business and the bad guys. Communicate these rules and other company security policies to your employees frequently to minimize risks.
For more information on containing fraud, please reference the following links:
The content provided is for informational purposes only. Neither BBVA Compass, nor any of its affiliates, is providing legal, tax, security or investment advice. You should consult your legal, tax, security or financial advisor about your company's situation. Opinions expressed are those of the author(s) and do not necessarily represent the opinions of BBVA Compass or any of its affiliates.