In one type of phishing, fraudsters impersonate your business when contacting consumers. Phishing victims think they're giving information to your company — by phone or Internet —but instead give personal or financial information to the fraudster. Imposter scams are on the rise and have surpassed identity theft as the second most common consumer complaint received by the FTC, according to recent data. The FTC recently issued a short video and press release offering tips for businesses impersonated in a phishing scam. Those tips are a good first step. But sophisticated businesses and financial institutions generally should not stop there when dealing with an expert phisher.
The Federal Trade Commission recognizes that phishing is as much a problem for businesses as it is for consumers. For businesses, the risks include loss of goodwill, damaged reputation, and financial ramifications if the consumer decides to take his or her business elsewhere. We agree. In addition, Carlton Fields' 2017 Class Action Survey reports that data privacy and security class actions will be one of the "next waves" of major litigation. With so much at risk, however, the FTC's recommendations may not always go far enough to protect these businesses' interests.
The FTC advises businesses to notify customers and law enforcement immediately if a fraudster is impersonating your business. The agency says that failing to do so could lose customer good will. But, in some cases, reacting with murky information could scare customers needlessly. It may also divert time and resources from preventing harm. Your first priority should often be understanding the real impact of the scam and taking steps to prevent actual harm. For example, if a fraudster seeks login information from your customers, focus on resetting website passwords before you focus on customer notification, or at least pursue these work streams in tandem.
In its video, the FTC recommends that in the wake of a phishing scam, companies should tell consumers to look out for emails or text messages soliciting information and remind customers that no legitimate business would solicit personal or financial information through email or text. While a useful tip for responding to a phishing scam, this message should permeate your entire online relationship with customers. An ounce of prevention is worth a pound of cure. Likewise, create in advance a hacking, phishing, or data breach plan with clear lines of responsibility and anticipated actions. If you choose to communicate about the scam with consumers, consider not only the content of the communication, but also the method — a passive message on your website, outbound emails, or a press release are options. Each option has benefits and drawbacks to consider.
The FTC recommends notifying the Internet Crime Complaint Center at ic3.gov, as well as the FTC at The FTC recommends notifying the Internet Crime Complaint Center at ic3.gov, as well as the FTC at ftc.gov/complaint. Businesses could also forward any phishing emails to the Anti-Phishing Working Group at firstname.lastname@example.org. In our view, this is a fine step so long as you have also focused on preventing consumer harm. If cybersecurity poses a significant risk to your business, it's important to know and develop in advance the government resources that most benefit your company and your customers. Establishing relationships before a crisis can net you better information sooner when an actual event occurs. Regional regulators for your industry and law enforcement cybercrime liaisons are a good place to start.
Lastly, the FTC advises that if customers give up their personal or financial information, the business should refer the customer to the federal government's resource for reporting and recovering from identity theft: identitytheft.gov. Our experience, however, is that only amateur phishers stop trying after one bite. Once a phishing incident is managed, companies victimized by cybercrime should take steps toward prevention. This may include enhancing security standards going forward, providing customers with free credit monitoring, or revamping major technology. Management debriefs to discuss lessons learned will prepare you for the next cyber crisis.
The bottom line is that the FTC's tips on responding to phishing are a good start. Businesses, especially the big fish — high-profile brands and sizable financial institutions — would be well served to incorporate those tips, along with the pointers identified above, in their cybersecurity program and incident response plans.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.