Earlier this month it was reported that accounts of Coast Capital Savings members were compromised in a cyber attack, with criminals making away with hundreds of thousands of dollars. In this attack, many account holders fell prey to phishing – a cyber crime tactic that tricks victims into giving up sensitive information including usernames, passwords, PINS, and financial details by disguising as a trustworthy entity in an electronic communication such as email or SMS text.
According to recent data, phishing has surpassed ransomware as a cyber threat and in 2019 businesses are expected to take more responsibility, even when attacks target the customer/client, and not the business itself. Some companies are asking why the onus falls on them, given that technically the fault seemingly falls on the account holder. One needs to look no further than the very same Coast Capital Savings example for the answer.
Victims of the Coast Capital Savings attack understand their own role in giving up sensitive data to cyber criminals, but they also point their fingers at the financial institution, citing negligence when it comes to safeguarding member accounts. Victims report a lack of security questions, allowance of weak passwords, and poor education on how to protect their own accounts with the institution. The concept of corporate responsibility comes into play, and this grey area can lead to serious liability headaches with damaging financial consequence. This is why it’s better to err on the side of caution and ensure that customers/clients are afforded internal cyber security safeguards and be provided with information about how they can help keep their own accounts safe.
3 Tips to Keeping Customers/Clients Safe from Phishing Schemes While Minimizing Commercial Liability
1. tighten up account access protocol
The first thing you will need to do is enforce a more stringent password creation protocol for customer/client accounts, which provides for the following:
- Passwords must have at least six characters.
- Passwords can’t contain their name or parts of the their full name, such as a first name.
- Passwords must use at least three of the four available character types: lowercase letters, uppercase letters, numbers, and symbols.
Of course, there is a lot more to consider here. Sometimes, a cyber criminal will get one important piece of information before a victim becomes suspicious of the electronic communication. So, consider the institution of 2-Factor Authentication (2FA), which is an extra layer of security that requires not only a password and username but also something that the account holder can access to enter a secondary PIN (etc.). It must be noted that a PIN delivered via SMS text is not advisable, as this method is extremely vulnerable to cyber criminal interception. Instead, set it up so that customers/clients must obtain their login codes from a third party authentication app, such as Google Authenticator. Sound complicated? It really isn’t. In fact, Instagram offers this to their users. If it’s suggested on a popular social network it certainly won’t be scoffed at as protocol for sensitive customer/client accounts.
2. educate STAFF AND customers/clients
Create a branded document about phishing prevention and share it with your staff and customers/clients so that both groups are educated on what phishing is, how to identify it, and how to avoid falling prey.
For starters, let all account holders know that you will never ask them to provide a password or PIN via email (traditional phishing), SMS text (SMiShing), or through voice-recorded telecommunication (vishing). Beyond that, let them know to watch out for:
Shortened links – Phishers conceal the true destination of a link using common everyday URL shorteners including Bit.ly, TinyURL, Owl.ly, and more.
Unsolicited electronic communications – Emails or texts containing links that ask users to confirm/verify information or change passwords, when the recipient did not make the request in the first place.
Links with strange characters – Links that contain a muddled grouping of characters, numbers, or letters could be coming from phishers that use URL encoding to hide the true destination of the link.
3. establish a reporting procedure
Another way you can help your customers and clients become more proactive in phishing prevention is to establish a voluntary and easy to follow reporting procedure when they receive suspicious communications that purport to come from your business.
The reason many phishing attacks are so successful, is that the communication tends to deliver a critical call to action that customers/clients have a hard time resisting. The communication will have them thinking that they defaulted on a payment, or that their account has been comprised, causing them to respond in an effort to clean up the mess before more harm is done. But in doing so, the supposed corrective action results in the very harm they sought to prevent in the first place. By instead having a well-communicated reporting procedure in place, their first call to action will be to contact your company via the pre-verified channel. This will establish the validity (or lack thereof) of the communication and security action to follow, if necessary.
This process will also help your business identify threats early on, and report potential breaches to the Privacy Commissioner of Canada along with potentially impacted parties (customers, clients, etc.) as per the 2018 PIPEDA update which also has direct implications for cyber crime liability.