FS-ISAC has published Stop the Scams: A Phishing Prevention Framework for Financial Services.
The comprehensive framework aims to help financial firms counter a surge in phishing attacks, the most reported type of cybercrime worldwide. With phishing scams increasingly impacting both firms and consumers, Stop the Scams offers critical, actionable steps to help firms safeguard themselves and their customers against the financial and reputational harm caused by phishing.
Phishing scams typically involve fraudsters using email, text messages, or phone calls that mimic trusted sources, such as banks or financial firms, to steal personal and financial information. Victims of these scams may face significant financial loss, while their financial service providers may bear responsibility for reimbursing or supporting them. Recognising the need for a cohesive solution designed to help financial firms of all sizes and maturity levels reduce phishing reports, FS-ISAC’s Fraud Strategy Working Group collaborated with leading member firms to develop Stop the Scams.
FS-ISAC is a member-driven, not-for-profit organisation that advances cybersecurity and resilience in the global financial system, protecting the financial institutions and the people they serve. Founded in 1999, the organisation’s real-time information-sharing network amplifies the intelligence, knowledge, and practices of its members for the financial sector’s collective security and defences. Member financial firms represent USD100 trillion in assets in 75 countries.
The steps in the Framework have already delivered impressive results, with three major US banks reporting a reduction in text abuse incidents by over 50% shortly after implementation. The core approach consists of four essential actions:
- Collect and share intelligence: Gather actionable intelligence from consumers and disseminate it across relevant departments.
- Educate employees and customers: Develop education programs to heighten awareness of phishing tactics among both employees and customers.
- Catalogue communication channels: Maintain a catalog of telephone numbers used by the institution and third-party partners to prevent spoofing.
- Leverage anti-phishing technology: Collaborate with telecommunications providers to deploy anti-phishing solutions.
To further maximise the Framework’s effectiveness, FS-ISAC recommends two best practices:
-
Establish a structured reporting intake process: Design a fraud and phishing intake process with clear, concise questions to gather actionable intelligence while minimising the burden on consumers.
-
Build an abuse inbox for reporting: Set up an “abuse box” infrastructure, enabling consumers to report phishing attempts. This approach allows financial services firms to gather timely threat insights, benefiting both internal teams and the broader financial sector.
“The actions in the Stop the Scams framework have been instrumental in significantly reducing phishing incidents and strengthening protections for our clients amid the fast-changing threat landscape and rapidly evolving technologies such as generative AI,” said PNC Chief Information Security Officer Susan Koski. “We hope that sharing these steps in a comprehensive framework will be a transformative step forward in the industry’s battle against these attacks.”