It's a scenario that too many email users are familiar with: a message arrives in your inbox that appears to be from a legitimate business that you've worked with before.
Maybe the message looks like it came from your bank or, as in a recent case, an online video streaming service. It asks you to update your account information, such as a password or credit card number, and directs you to a website for that purpose. You follow the email's instructions...and then the pain begins: suspicious charges appear on your credit card, or money is withdrawn from your bank account without your permission.
Welcome to phishing. Through phishing, the bad guys impersonate legitimate entities, like government agencies and various businesses, including possibly your bank, in attempt to trick you into revealing sensitive information such as account numbers and passwords.
Phishing scams that affect consumers en masse often make headlines, but it's important to note that the scammers who go phishing don't just seek personal information directly from you — they're also on a hunt for passwords and other data about you from businesses you deal with, including your bank.
"We've always been a target because that's where the money is — that's where organized crime and other adversaries want to get access to information or credentials to try to perpetuate fraudulent transactions," said John Carlson, the chief of staff of the Financial Services Information Sharing and Analysis Center (FS-ISAC), an organization of financial institutions dedicated to fighting threats against their industry.
In their efforts to combat phishing attempts, financial institutions are going beyond using just technical tools. Even with the best security measures in place, "there's always a chance that a carefully crafted email from an adversary can get through," said Greg Temm, FS-ISAC's chief information risk officer.
Increasingly, a key strategy to prevent bank employees from handing over sensitive information to phishers is to train workers to recognize phishing emails by sending phishing emails themselves.
Financial firms are hiring organizations that send fake phishing emails to the firms’ own employees, and some are even organizing so-called phishing tournaments in which employees keep score to see who correctly report the most phishing emails.
Employees who correctly identify and report phishing emails are often rewarded, perhaps with a gift card, while those who fall prey to the (fake) phishers may get a call from a security staffer who turns the mistake into a "teachable moment" to continue to educate employees about phishing, said Temm, or else be required to complete a training module about the risks of phishing.
In some cases, Temm added, employees who have a pattern of clicking on phishing emails may see that noted in their performance evaluations, but he said that firms tend to prefer rewarding employees who recognize and report phishing over punishing those who don't. The goal, he said, is "to educate the employee base to the best of your ability."
Want to learn to recognize phishing attempts in your own inbox? Here are some of FS-ISAC's tips:
Check for slight email address irregularities: Scammers like to "spoof" legitimate businesses by creating email addresses that are close to but not completely identical to a business’s real email address. An extra number or letter in an email address with the company's name in it, for instance, is a red flag.
Be wary of strange URLs: If the email encourages you to click on a website, mouse over it first without clicking. If your browser displays a URL address that's a strange combination of letters and numbers — something that real businesses would unlikely use — that's another warning sign.
Watch out for attachments with general names: Attachments sent by phishers may include malware that cripples or steals information from your computer. As damaging as those attachments are, they're often given rather general, benign-sounding names such as "resume.pdf" or "salarystatement.doc."
Take typos seriously: Sophisticated "spear phishing" scams — which target specific people and businesses— tend to avoid misspellings and the like, but less crafty scammers, especially those based abroad, are prone to spelling and grammar mistakes.
When it comes to fighting phishing and other cyber threats, financial institutions have their work cut out for them.
"It's always been a challenge to make sure you're employing the right controls to protect against threats but also to make it easy and convenient for your customers to do business," Carlson said.
Temm agreed. Email, he said, serves a critical business function, but "it's also a challenging channel to protect."
Fortunately, with the right training, individuals can take steps to protect their institutions — and themselves.