Online businesses have been lamenting phishing for decades. Phishing not only harms the direct victims, but also erodes general consumer trust, which affects all online commerce. Banks are one of the most, if not the most, attacked sectors today, and fending off those attacks is critical to maintaining trust. In this blog, we wanted to share our best practices to help you avoid becoming a victim and remain safe is cyberspace.
But first, let’s start with the numbers: Over 1.4M fake websites are created each month. Over a million phishing campaigns are launched each year. One in 25 branded emails are phishing attacks, and phishing accounts for 90% of data breaches.
Despite industry’s best efforts to contain phishing, focusing only on technology solutions continues to fall short. Ultimately, phishing is a ‘social engineering’ exploit, rarely taking advantage of technical vulnerabilities, but rather the vulnerability of human nature. This isn’t to say we should stop developing technical solutions. In fact, we should press on with more fervor than ever; however, now it is clear that augmenting technical solutions with more human-focused solutions is necessary to achieve the results we hope for. Traditionally, these human-focused solutions come in the form of education. In the banking industry, employees are required to undergo Security Awareness and Education training programs, but few other industries have such requirements. Meanwhile, the general public is typically left to self-educate, and often after they become victims themselves.
Combatting phishing and anti-phishing education itself is often a Byzantine process involving many steps, but following the steps below should give you high confidence the website is legitimate (click on the title to expand each section):
1. Check the URL.
2. Check for security indicators.
3. Check the certificate itself.
4. Look for “Trust Marks.”
5. Check the domain using trusted third-party tools.
6. Check the domain’s “Whois” data to glean information on the domain owner.
7. Check the website to ensure there are no grammatical or spelling errors.
8. If the website has advertising, how invasive is it?
Unfortunately, very few people, if anyone, are going to routinely follow each of these steps ahead of every online transaction they make.
Most reasonable people check the URL, and hopefully ensure the lock icon exists and, perhaps passively acknowledge a Trust Mark, should one be displayed. That’s it.
While human-focused solutions continue to evolve, the banking and insurance industries continuously “harden” their .com security posture through consumer protection technologies like frontend controls such as Transport Layer Security (TLS) (see figure 2) which protects your online transactions and backend controls like Domain-based Message Authentication, Reporting & Conformance (DMARC) which blocks fraudulent email from being delivered and, in concert, provide repeated doses of consumer education through notifications and information contained on security pages.
The industry has also developed an independent domain solution that enforces strict eligibility requirements that prevent phishers and other bad actors from acquiring these domains. Every domain in .BANK and .INSURANCE is owned and operated by an independently verified and regulated organization and uses enhanced security controls to protect the online experience.
These capabilities enhance security, but the onus is still squarely on all of us to browse safely and validate every URL link is the one we expect. When there is any inkling of doubt or suspicion, follow the above recommendations to reduce the likelihood you are being scammed.
Cybersecurity is a shared responsibility and each of us has a role to play to keep ourselves, our families, our associated organizations, and the global community-at-large safe online.
|Fig. 1: Example of Trust Indicators||Fig. 2: Example of a TLS Secured Website|
Disclaimer: The views expressed in this post are those of the author(s) and do not necessarily reflect the position of the Bank Policy Institute or its membership, and are not intended to be, and should not be construed as, legal advice of any kind.