Every month, we host a Fraud Briefing webinar where our CEO, Tom Cronkright, discusses the latest fraud trends, security best practices, and ways to protect your company and customers.

Register for future webinars here.

In this article, we are going to answer 5 questions that were asked during the Q&A after the Phishing: Stop Fraud before it Starts Webinar.  You can watch the full Phishing Webinar here.

What are other strategies for training employees on phishing?

I think it’s important to use live examples that are coming into the company, that really personalizes it with staff. You can actually hire third parties that will conduct periodic but unannounced phishing exercises and you can get a broader sampling of what tactics your employees fall for. You can proactively phish your people and then use the results as an example to train around some things. Corporate e-mails, attachments, personal stuff.

One of our employees fell for a phishing email. Now our clients are receiving fake emails from her.  We've told them it was fake, but is there anything else we can do to ease their fears?

Well, you’re either hacked or spoofed. If you’re spoofed, it’s a great indication that you haven’t been hacked. The first thing that you do is explain to the customer, “Let’s look at where the e-mail is coming from. It’s not coming from my domain. They registered a domain that was close to our domain, like the international.paypal.com. It’s not paypal.com. I’m being spoofed." If I was hacked and my e-mail was compromised, it would have come directly from that e-mail. That typically puts them at ease.

But if you’re ever concerned about actually being hacked, get your IT team involved. Or you can have a third party do forensic analysis and see if you've been compromised. See if anyone is in the network right now controlling sessions. Spoof means not hacked. You can’t control if somebody’s spoofing you, and a lot of times, you don’t know it’s taking place when it is.

What email filter company do you use?

MimeCast. They’re one of the leading ones. It’s highly configurable, and it has worked fantastic. There are others out there, but I would suggest them or one of their competitors. They have a consortium effect that you’re able to benefit from others that pour in and say, “Hey, this is fraudulent, or let’s flag this, or don’t accept it,” then it likely won’t hit the servers of other companies that are subscribers.

Are there potential issues with answering spam phone calls?

Not in the sense that they can embed something into your device, and then take it over or malware or anything like that, because that’s a voice call. What they’re really trying to do is disarm you.

If I’m a fraudster and I’m trying to fraud Brent, I say, “Hey, Brent. This is Tom from ABC Title, we got the upcoming closing and I just wanted to let you know that I’m about to send you the wiring information, and I just want to know if you’re by your computer or your phone where you can confirm that you received this e-mail. Oh, by the way, there’s a lot of fraud going on, so you need to make sure that these are the ones. You can’t trust anything else no matter where they come from. Does that make sense?” “Yeah, that makes sense.” “Okay, here they come.” They’re meant to disarm.

2FA adds extra steps to a login process, what would you say to someone who says two-factor authentication is too cumbersome?

Here’s what I would say. Let me explain to you what’s cumbersome. You lose a couple hundred thousand dollars, you have to sue civilly to get it back. What I would say to those is if it’s too cumbersome to download an app that allows them to streamline multi-factor authentication. Or it’s too inconvenient at the soccer field to put in a four or six-digit code before they get into Facebook then the alternative I would argue is just a matter of time. They’re going to experience the contra and that’s what happens when accounts are taken over.

And you know what guys? This is the industry standard. So I don’t see it as a this or that. I see it as you have to do it and if you don’t you’re going to get absolutely hammered if somebody loses funds. Cumbersome or not, technology has come a long way and it’s a lot easier to use nowadays. We're actually starting to see some of this become required in regulations as well or even criteria for certification.