Phishing. It can compromise your financial institution's (FI's) reputation, increase expenses, and result in account holders leaving. This art of psychological manipulation —of tricking people into giving out confidential information via email-is hard to protect against. It works behind your technology investments and leverages the biggest wild card in the security equation —human decision making. Humans are oddly willing to share information about ourselves. Our natural inclination to trust others can, unfortunately, be a weakness.

Fraudsters understand just how to exploit this weakness. In the past few years, phishing has become the biggest threat in the fraud landscape. According to a report from PhishMe, 91 percent of cyberattacks start with phishing. These fraudulent emails look real, containing information that fraudsters have gathered about recipients, so that opening these personalized messages is a knee-jerk reaction. With successfully phished information, fraudsters can then login to systems or use malware to steal account numbers, passwords, usernames, and social security numbers.

Phishing is hard to stop, but there are tech solutions that can help your FI "net" a fraudster. Start with a comprehensive, cloud-based solution that delivers real-time 24/7/365 monitoring and takedown of phishing websites and rogue mobile apps. Then, add different layers of control to secure your FI and account holders against fraud.

  • Authentication controls are a personal lock and key to help keep unwanted visitors out of accounts. A virtual token sent to the account holder's mobile phone or a personal physical token can be used to help authorize access. Frequently, a token will be part of a two-factor authentication process in which another only-user-known piece of information is required in the authorization process.
  • Behavior-based controls can be described as front-line security, given the task of alerting a higher authority when out-of-the-ordinary user behaviors are recognized. Require account holders to further authenticate using out-of-band tokens if a session is determined suspect based on information like login behavior and device details. Monitor and analyze transactional and user data in real time to identify and suspend suspicious transactions based on past history. With the right tools, your FI can stop fraud before it even occurs.
  • Transactional-based controls are an additional layer of security. Establish access levels, spending limits, and secondary approvals so that in the event an account holder's information is compromised through phishing, the risk can be mitigated.

While technology can greatly help in the battle against phishing, one of the best lines of defense is having informed account holders and employees. Creating a phishing assessment (i.e., social engineering testing) for your employees will generate awareness of these attacks, helping you combat fraud. Providing account holders visibility to the data around their prior sessions in their user interface also teaches them to monitor possible fraud on their own. And, in the event a fraudulent transaction occurs, having an automated dispute tracking tool will help simplify responses and fund recovery which will, ultimately, keep your customers happy.

Don't be fooled. Cybercriminals conducting phishing expeditions don't care how big or small the victim may be. It's not about the size of the FI, but the opportunity to attack. By taking a few simple steps —such as having multi-layered security integrated into your digital banking platform, educating employees, and keeping account holders informed, you can create a significantly safer digital banking experience.

Interested in learning more about fraud and how Q2 can help keep your FI and account holders secure? Check out for more information.


Written by Q2