3 Easy steps to mitigate phishing attacks
Without going into too much detail, a Telstra-branded email was sent out with instructions to click a link to update your details “following an error in scheduled maintenance”, but the link of course didn’t go to any Telstra site (reportedly, it pointed to a British spa website which is a bit bizarre in itself).
Your service provider says ‘click’ – the Fraud Squad says don’t!
What interested me the most was the statement from the Queensland Crime Prevention Command’s Fraud and Corporate Crime Group:
“Regardless of what’s in this email – logos, account details and email addresses – the most important thing to remember is that they asked you to click on a link within an email. Legitimate companies will never ask you to do this, especially when it comes to providing your personal information.”
While this is well intentioned advice, it is fundamentally wrong! The fact is that thousands of legitimate companies send millions of emails every month asking their customers to click on a link – in most cases to view their eBills or eStatements online. And we’re talking big names; American Express does it, HSBC does it, 3 does it…and Telstra does it too.
So, now we have millions of confused customers out there being told by the police never to click on a link in an email, while their service providers are asking them to do just that! What’s the answer?
The fraud squad suggests that the safest solution is to just stop using links to web portal log-in pages in your emails. So, perhaps you should consider delivering your customers’ eBills or eStatements as PDF attachments to the email instead? This way, there’s no need for a link and a significantly reduced risk of the email being a phishing attack. However, if you have no alternative, there are a few things you can do to protect your customers…
3 steps to prevent phishing attacks:
1. Educate your customers
While it’s important to ensure that you use consistent branding in all your email communications, fraudsters are getting smarter about replicating these. Educating your customers to recognize your emails is one of the most powerful ways to protect them from phishing attempts. Look for alternative ways to help them identify your legitimate email such as using a customer selected image that must appear in every email.
“Dear Keith” is better than “Dear Valued Customer” (and does anything make you feel less valued than being called a ‘valued customer’??), because generic greetings are an easy way for a fraudster to recreate a company’s style.
This is the big one! Consistently include authentication in every email communication with the customers. Name, partial account number, partial address or postcode are all easy for a legitimate company to include in the email body, but impossible for a fraudster. Educate your customer that your emails will always have authentication, so any phishing email becomes instantly recognizable. Make use of the various security features available, such as digital email signatures, DKIM, DMARC and SPF to further authenticate the email and minimize the risk of it ending up in a spam folder.
Taking these steps will minimize the risk of your company and customers becoming the victims of phishing attacks
Get in touch with us
Keen to find out more or get an expert's opinion?