This is an example Policy document defining an organization’s Phishing Policy. The goal is to clearly define terms and processes in a technically accessible way.

Phishing Policy

Abstract

This document defines email phishing in regards to the organization as well as acceptable standards and incident response actions.

Phishing, ‘spear phishing’, and ‘whaling’ are types of social engineering based attacks with the intent to defraud victims of confidential information or difficult to recover funds. Email is the most common vector for security breaches, including phishing attacks; however, other sources such as instant messenger (Twitter, Skype, Facebook Messenger), direct phone calls or other electronic communication are possible.

Spear Phishing specifically targets employees who may have greater or more immediate access to valuable data or financial access. Common individuals would be HR, finance or upper management personnel.

Whaling or ‘whale phishing’ are attacks based on impersonating well known individuals in an organization, typically those in authority. Common examples are C-level staff, comptroller or other head of finance, etc.

Typically the goal of a phishing campaign is to persuade victims to provide the attacker with information such as, but not limited to:

  • Valuable to sell, such as credit card or other banking information.
  • Allows them to impersonate the user via account credential access, potentially to target other individuals in the organization with higher confidence.
  • Request funds via difficult to recover or trace services, such as Western Union or purchasing gift cards.

Scope

This document establishes expectations around secure use of email in regards to phishing. In addition expectations, the process to report suspicious emails or communication scams is also defined here. These policies apply to all employees in the organization with access to email.

Policy Definition

The ideal course of action is to detect and prevent attacks from successfully executing. As such, we have defined the following guidelines:

  • Requests for funds to be used outside of normal business operations require verbal confirmation from the requestor. For example, if a department head requests money to be wired via email, the receiver of the email must confirm verbally before taking any action.
  • Always verify that the FROM: address contains the correct email address of the sending party. Nearly all targeted phishing attacks will attempt to spoof this field via obfuscation: <FROM: CEO of the Company (scammer@spoofedemail.com)>
  • Never send or request passwords via email for any reason, even to well-known individuals. IT personnel should be trained to never request this information via email or instant message.
  • Links in email should be avoided whenever possible. Under no circumstances should an email link from an external, unexpected message be clicked. If in doubt, visit the site manually or request help from IT to determine the message’s validity.
  • Never enter personal or confidential information into a suspicious website. Be aware of the following common warning signs:
  • Lack of https:// in the site’s URL. Any legitimate site will have a valid SSL certificate to encrypt information sent.
  • Common misspellings of the URL such as: https://gooogle.com
  • Lack of company branding, if the site is internal it should be appropriately branded to eliminate spoofing by copying stock login screen forms.
  • Misspelled words or improper grammar.

Reporting

  • If an email arrives that is suspected to be a phishing scam, it should be reported to the help desk via normal means (ticket via email). Once the email has been examined, the help desk may take additional actions to attempt to block future emails of the same attack from arriving or report the sender’s domain to the appropriate body.
  • Systemic targeted phishing attempts may indicate a more serious threat. An example would be multiple attack types targeting the same individual or group of individuals or closely impersonating specific employees to multiple attack targets. IT will gather these incidents and track them, providing details to the appropriate risk management officer in the organization. The risk management officer will perform their due diligence to decide if further action is required.
  • If an employee falls victim to an attack and suspects that their account or any data they are responsible for has been compromised, they will contact IT immediately. The help desk will reset their credentials as necessary as well as work to secure any tertiary system access. In the event that financial or other sensitive data was involved, the organization’s risk management officer will be involved.

We Can Help!

If you’re concerned about your communications health or security, our team of experts can help you define policy as well as execute security strategy. Please reach out, we’d love to speak with you!