Many people, including high-ranking executive leaders, tend to let their eyes glaze over when topics like IT management and cybersecurity come to the forefront.
It’s not that they’re unconcerned – in fact, many executives rank cybersecurity as one of their top areas of concern. Instead, people throughout an organization tend to believe that protecting information is a job over their heads, one they should entrust to the IT professional.
Cybersecurity is everyone’s responsibility, from IT all the way to the person answering the phones. While there are many different ways cyber fraudsters can strike, one of the most common, low-barrier-to-entry ones is through fraudulent emails, known as phishing.
What is Phishing and How Can it Impact My Firm?
The most common form of electronic fraud occurs through phishing emails.
A phishing email is an email sent from an email address disguised to look like the email address of a client, associate, service provider, or representative of a regulatory agency.
These scams began in the early years of email and instant messaging and have continually increased in both volume and sophistication as new forms of technology and communication have emerged. In 2019 alone, Microsoft reported blocking more than 13 billion suspicious and/or malicious messages.
In most phishing emails, the sender’s email address will be very close to the actual sender’s address with some slight variation (a transposed letter, for example, or .org instead of .com).
In some instances, the email address may look exactly like an official email address, but the actual email address will be revealed if the recipient scrolls over it. And sometimes, an address can be hijacked through a phishing scam and used to scam more people or collect more information within an organization.
How Can I Protect My Employees from Being Phished?
An ounce of prevention is worth a pound of cure – that old adage definitely applies to phishing scams. Teaching your people about potential scams ahead of time is the best way to ensure they won’t click on an email that purports to be an urgent message from you, a client, or a vendor.
Make sure your employees know the following:
- Never share passwords or log-in credentials via email. Service providers and regulatory agencies will never send email requests for any type of login credentials, a request to verify log-in credentials, or request any type of non-public or personal information.
- Avoid clicking unexpected links in emails or opening unexpected attachments. Links that may look accurate may actually be connected to scammy landing pages. If you’re not expecting an email message and you receive one with a link in it, consider accessing the page by typing it into your browser instead of using the email’s hyperlink to guide you there.
- Keep organizational software updated so phishing scams can’t take advantage of vulnerabilities.
- Be suspicious. Many phishing emails will just not “look right.” They may include atypical formatting, incorrect grammar, or misspelled words.
- Verify before acting. One financial institution’s HR representative received an email from the CEO requesting a spreadsheet of all employees’ personal contact information, salary, and social security numbers. The HR rep was still puzzling over this unusual message when he received two more emails in quick succession, both sounding increasingly angry and hostile over his delay in completing their request. At this point, he reached out directly to the CEO, only to learn that the CEO hadn’t requested at all – it was a scammer trying to access hundreds of employees’ sensitive personal details in one fell swoop.
- If a suspicious email is ever received, the recipient should follow company policies and notify their IT team. The email should not be responded to nor forwarded to anyone other than the firm’s IT representative.
FINRA recently reported a widespread phishing scam from a sender who claimed to be a representative of FINRA. The scam used the familiar tactics of urgency (demanding immediate action) and using the name of a high-ranking professional to garner attention. Because the scam supposedly originated from FINRA, the scammers likely hoped people would respond quickly because of concerns that they or their firm might be in hot water with the regulator.
How Can I Protect My Clients?
When you’re thinking about phishing prevention, consider it from your clients’ point of view as well.
Many people have the majority of their net worth tied up in their investment accounts. If they receive an email that purports to be from your organization, they’re likely to open it and act quickly – potentially to their detriment.
As their trusted advisor, you have the opportunity to educate them through your communications, reminding them that your firm won’t share or request sensitive information through email and reminding them to verify with you if they receive a message, phone call, or other requests that feels suspicious.
How Can My Organization Handle Cybersecurity Differently?
It almost goes without saying (but we’ll say it anyway) that companies should have specific and detailed written cybersecurity policies and that email security should be included in those guidelines.
Many companies choose to vest cybersecurity responsibility in a cross-functional committee rather than requiring IT to police every area of risk. This board, which should include top-level compliance professionals, can keep the organization safer by being apprised of the potential for cybersecurity breaches across the organization.
Compliance professionals contribute to these types of committees through horizon scanning, evaluating coverage and contingency plans, and playing a part in due diligence for new technologies and third-party relationships.
As we rely more and more on technology, cybersecurity will continue to grow as a corporate function and play an increasingly large role in our firms’ planning and proactive decision-making. For compliance professionals, that means another opportunity to strengthen relationships and collaboration between departments to mitigate any risk, and business can continue to flow without interruption.