targeting financial firms and their Customers. Coming back from a long weekend and back log of emails, the stresses that you are under in this unprecedented time, business objectives and customer expectations, this is the perfect storm for the Fraudster to exploit. In our isolation the use of malicious and fraudulent emails (Phishing) appears to be the current tool of choice and here are some tips, key indicators and red flags that and email may be malicious or fraudulent to keep your Firm, Customers and Yourself safe.
- Is the email out of the blue or unsolicited with a time pressure to undertake some action?
- Is the email address of the sender the same as your Customers in your records?
- Is the spelling correct or have letters been substituted, do you even know the sender?
- If there are links to respond to do not click them, hover your cursor over them and check the URL. Always go to the official site rather than click a link in an email especial if it requesting that you need to do so to undertake some action.
- If the email is requesting that you need to download a file or attached document do not do this or click on it.
- Are there grammatical or spelling errors in the email?
- Does the email sound like client?
- Does the email request some personal data or business data or security details?
- Does the sender address you by name, is this usual? If the sender is unknown to you this could be an attempt to gain confidence, remember we all have personal details on the web that are easy to find.
If you see any red flags it is time to contact your IT department or provider and get them to check the email out and validate it.
When receiving requests to make transfers to accounts or pay invoices you need to be cautious, consider the following as red flags that either the email is a phishing attempt or that your customers email account has been compromised.
- Is the request expected, in line with the known activity and business operation of the Customer?
- If the email asks to call them on a phone number to confirm the transaction, use the contact details that your firm has on file and not the ones in the email.
- Check the transfer details, are they the same as the ones you have on the file for the customer or is this a new transaction? .
- Is the transaction inline with the normal activity and known behaviour of the client?
- Is the invoice for services that appear odd or from an unknown party?
- Does the email request use any links or downloads such as an invoice or software? Always go to the main website and make payment from there as the link could be malicious. Any download may contain malicious software that will endanger your firm such as ransomware or can even spy on you.
Always confirm actions with the customer, using the details your firm has of the actions that are required to be undertaken. If you have any red flags then your IT department or provider needs to be informed and the email checked out.
Also beware that you may also be subject to telephone (Vishing) or SMS (Smishing) fraud attempts that will also seek to make you undertake an action or provide personal or business details in the same manner as with Phishing.Always call the customer back on the details that your firm has and confirm with them any requested action. Rather than seeing this as a hassle customers will be impressed that you are so diligent and have good security, it will reassure them that you are the firm to be with and that you are proactive in protecting them and their data and assets. It may also alert them to the fact that they have already been hacked and can take appropriate action to minimise any loss.
Reporting of these attacks.
These attacks must be reported to the Compliance and MLRO team and onwards after assessment to the Board.The Board is accountable for the safety of the firms clients and client data and must be seen to be ensuring that it has considered the risks posed, put in place effective mitigation, appropriate systems and controls. This assessment must be reassessed after an attempted fraud and consideration of appropriate actions undertaken. Does this change the risk profile of the firm in anyway? Is there any further mitigation that can be done to protect the firm and its customers? Remember the Regulator will be looking for documentary evidence of consideration whether there has been an attack or not and certainly on their onsite visits.
Compliance and MLRO teams with the IT department or service provider need to collate the data, assess the threat and any further systems or controls that may be required to be considered by the Board and implemented. They need to consider if this is just a random attack, or whether it is targeted, is there a specific group of customers this affects? This information with any recommendation needs to be provided to the Board. Consideration must be given to the threat and may also require the of warning, training or refreshing of the firms employees to the risks and the policies, procedures and the controls that must be followed.
Fraudsters can be identified from the details that they provide to you, be it a phone number, email address or website URL. This being the case they must be reported to the Fraud or Financial Intelligence Unit as you would with a normal Suspicious Activity Report, if you are unsure give the Police or the Financial Intelligence Unit a call, they are there to assist you and help you. This also allows them to collect the data and establish if the jurisdiction, specific firms or a set of clients is being targeted, allowing them to warn industry and protect clients of the jurisdiction. Financial Intelligence Units have a wealth of good advice on there websites for the prevention and detection as well as the dealing with fraud.
- Don’t open email from unknown senders and take time to assess an email for red flags that it may contain malicious software or attachments or a fraud attempt.
- Undertake callbacks using the customer details the firm has collated to confirm any actions.
- Don’t undertake actions or give out personal data or business data to anyone who is unknown no matter how much they pressure you.
- Contact your IT department, service provider and/or compliance department if you have any concerns, links or requests to download documents or software.
- If it is found to be fraudulent or malicious report it to your compliance and MLRO departments.
Don’t be pressured by emails, phone calls, SMS’s and time pressures in to undertaking an action in haste only to repent at leisure.