With increased sophistication around phishing emails, it is more important than ever to make sure your staff is properly trained on how to identify a potential fraudulent phishing email. Even for advanced users, targeted phishing emails are becoming harder to detect. To start, it is important for registered investment adviser ("RIA") firms have a cybersecurity policy in place. However, not only should a proper policy be in place, but It is imperative firms are training all staff on how to identify a phishing email to protect sensitive internal information and client data.
Here are a few common tips on how to detect a phishing email:
- Don't trust the sender display name: A common phishing tactic is to spoof the display name of the sender. When in doubt - check the email address in the header. If the sender email address does not match the display name, don’t open the email.
- The email address is valid but something looks suspicious: It's possible a client or third party vendor's email account has been compromised. Trust your instinct and if the context of the email seems a bit off or the individual has not recently emailed you be sure to exercise great caution.
- Don't click on links contained within an email: If the email contains any embedded links, hover your mouse over the link and review the website address. If the link does not match the senders URL, do not open. If you'd like to view the embedded link, simply open a new browser tab and manually search for the link in your browser.
- Check for grammatical and spelling errors: Often, a phishing email will contain a grammatical or spelling error. Be sure to carefully review the content of unsolicited or unexpected emails.
- Don't download any attachments: Often times, attached documents in phishing emails contain viruses or act as a way to deliver ransomware. Don’t ever open any email attachments you weren’t expecting. If you are expecting an attachment via email from a client or vendor, but have doubts about the email always call the client or vendor at a previously known valid phone number to confirm they actually sent an email with the attachment in question.
- Don't fall for urgent and action item subject lines: Another common phishing tactic is urgent subject lines requiring you take an immediate action. For example, "Action Immediately Required" or "Urgent: Password Needs to be Updated!"
- No personal information should be sent via email: If you receive and email requesting you enter your person credentials via email, don't. Always open a new tab browser and login directly on the site.
- Most important of all - If a mistake is made with such an email, ensure that staff is trained and comfortable immediately reporting the incident in order to contain and mitigate the potential damage.
Unfortunately, RIA firms remain a prime target for email phishing and other related cybersecurity attacks given the sensitive client information that firms may have access to. Furthermore, email phishing attempts continue to grow more targeted and sophisticated. Investment advisory firms need to recognize the risk such attacks present and actively address through proper system design and frequent staff training.