Protection against Phishing Attacks for SME
Preventive Measures
1.
Inform users directly (e.g. disseminate information through monthly statements, leaflets, publications or websites) about the preventive measures that your organisation has implemented e.g. Your organisation
will not send emails with embedded hyperlinks to websites to its users; and
will not ask for users' personal information or account information such as user identity or passwords via email.
2.
Keep websites certificates up to date so that users are assured the legitimacy of the websites.
3.
Provide telephone number for users of the websites to verify and report for any suspicious email requests for information that claimed to be sent by the organisation, which shall be available for all time.
4.
Consider to register domain names that are similar to the one that is currently used by the organisation e.g. in addition to the original domain name "www.abcbank.com.hk", domain names "www.abcbank.com", "www.abc.com", "www.abcbank.hk" can also be registered.
5.
Develop a trademark for the domain name of the organisation and register it to minimise the risk of being misused or duplicated.
6.
Strengthen the security controls of the websites, applications and email systems of the organisation e.g. using technological solutions such as SSL, two-factor authentication, digital certificates, firewalls, anti-malware solutions, enhancing fraud monitoring or reporting mechanisms and so on.
7.
Strengthen the operational controls such as setting a lower limit on the maximum amount of transaction or fund transfer per day or pre-registration before authorised to perform certain types of online transactions via Internet.
8.
Educate users about the best practices that they should follow and observe when using your Internet services.
Detective Measures
1.
Monitor the Internet for fraudulent variations of your organisation's name, trademark, seal or website address.
2.
Monitor the Internet for phishing emails related to your organisation.
3.
Monitor the websites of your organisation for any suspicious activities.
4.
Identify and notify management of any reports of suspicious activities on websites or phishing emails.
Responsive Measures
1.
Issue promptly alerts to the users, related parties or even the public through press releases, website or postal emails about the fraudulent website and warn them not to respond to the suspicious or phishing emails.
2.
Report to the police and relevant organisations such as Hong Kong Monetary Association about the suspicious website.
3.
Advise users, who suspects to be defrauded, to change their passwords immediately and to contact the organisation or report to the police as soon as possible.
4.
Issue alerts to staff, administrators or service providers of the website of the organisation to strengthen security measures and to watch out for any suspicious activities.
5.
Stop further use of the secret code or device immediately when a loss, theft or possible compromise of a secret code or a device, is reported.
Related topic(s):