Cyber criminals are changing the way they get hold of bank account information – shifting their attention away from the banks themselves and towards phishing attacks that target customers directly.
The change is paying off, according to Financial Fraud Action UK (FFA UK), the body used by the UK financial services industry to coordinate its fraud prevention activities. In its 2016 year-end review, FFA UK wrote that the proportion of fraud that banks and card companies detected and prevented had decreased in the past year.
Banks were able to retain around £6.40 of every £10 that fraudsters attempted to take last year. In 2015, they retained £7.10 of every £10.
Phishing attacks bypass banks’ defences
The report credited criminals’ growing success to an increased use of phishing attacks, which are less susceptible to direct intervention from the bank. Criminals are sending both phishing emails and text messages (‘smishing’) to bank customers, purporting to be from brands that the majority of recipients are likely to use.
“Banks take the threat of fraud extremely seriously and continuously invest in advanced detection and verification systems to protect customers,” said FFA UK’s director, Katy Worobec. “At the same time, criminals continue in their attempts to circumvent this security by targeting customers for their personal and security information.”
In an attempt to respond to the growth of phishing attacks, Worobec called for more people to take note of FFA UK’s ‘Take Five’ campaign, which advises people on how to avoid falling victim to phishing scams.
It advises that users:
- Don’t feel rushed – a legitimate organisation will not pressure its customers into making decisions instantly
- Never share personal details, such as PINs and passwords
- Don’t assume an emailer or caller is genuine
- Have the confidence to refuse unusual requests for information
Train your staff to be aware of phishing attacks
While advice from organisations such as FFA UK is always helpful, it is no substitute for dedicated cyber security training and education.
Simply knowing about the threat of phishing emails is not the same as being able to put that knowledge into practice. As FFA UK’s campaign notes, 1 in 4 victims knew they’d made a mistake as soon as they’d responded to a phishing attack.
To get staff to learn how to recognise and respond to a phishing email – and for that information to stick with them – organisations should enrol their staff onto a training course.
IT Governance offers an online Phishing Staff Awareness Course to give staff a detailed understanding of phishing emails. It provides real-life examples of phishing campaigns, as well as tips and best practices to equip them with everything they need to avoid falling victim.