Our members are experiencing a high rate of fraud attempts initiated through text messaging scams that cause the member to click a link that takes them to a lookalike domain where they enter their credentials. Outside of training for our members, does anyone have any good suggestions to help mitigate this type of fraud activity?

Security & GRC
2.1k views1 Upvote7 Comments
Sort By:
Oldest
Director, Strategic Security Initiatives in Softwarea year ago
Quarterly/Monthly TEST emails from the Security team to the company. Folks clicking on it receive extra mandatory training. Will help reduce folks clicking on such emails as they have been seeing them monthly from the company and are aware how ti identify them
1 Reply
VP of ITa year ago

We do exactly that.  The problem is, this is our customer base not our employees.  While we do provide training, there's not much we can do but provide guidance.

Co-Founder in Services (non-Government)a year ago
There are a couple of things in mind, 

1)You should investigate how the bad guys have obtained so many of your phone numbers.
2)Assuming it's a managed device (with MDM), deploy Cloud SWG/SSE to block fraudulent links.
3)Work proactively with a threat intelligence company to take down malicious domains, something like https://bfore.ai/.
1 Reply
lock icon

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

  • Peer Discussions and Polls
  • One-Minute Insights
  • Connect with like-minded individuals
VP of ITa year ago

1.  It appears that our entire area code is likely being spammed.  It could also be one of the local utility providers had a leak.  We have a fairly mature incident response and vendor management program and can't seem to find any correlation between any events we're aware of and the data itself.  The trick in small, rural areas is that since all services are "the only game in town", everybody uses them.  There's not a good way to correlate.  Also, many non-customers are also affected.  There just aren't that many people in our area, so if you just start texting numbers in our area code, the chances of hitting on one of our members is about 1 in 10.
2.  Not a managed device. As these are customer devices, all we can do is recommend garden-variety mitigations through their device OS, recommend filters, etc.
3.  We do work with RSA for this.  Domain takedowns take too long.  I will look into bfore.ai.  maybe response time would be better.  Thank you for that recommendation!

VP of ITa year ago
I should clarify that these attacks are not against our org directly.  They are against our members (customers for those not in the CU space.)
Director of IT in Educationa year ago
Mandatory and regular security awareness training that covers text and email links. Also the security folks should regularly do internal exercises text, emails and also telephone calls.
IT Director in Travel and Hospitalitya year ago
I would contact all your members via email or mail to tell them how you’ll contact them and what you will ask, and what you will never ask in order to help them identify spam. Admit that fraudsters are doing this to your customers and others, and give them the tools to protect themselves- such as not clicking on the link, logging into their own account or phoning your contact centre.

A longer term solution is to get them to use your app and say you will never text them, you’ll only use notifications

Purchasing al lookalike domains is unlikely to really work

Content you might like

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

Applications & PlatformsCloudData & Analytics+15 more
Head of Enterprise Architecture MERCK Group in Healthcare and Biotecha year ago
Strategy & Architecture
Read More Comments
39k views5 Upvotes34 Comments

What is your primary deciding factor in adopting enterprise search?

Strategy & ArchitectureCloudEnd-User Services & Collaboration+26 more

TCO19%

Pricing26%

Integrations21%

Alignment with Cloud Provider7%

Security10%

Alignment with Existing IT Skills4%

Product / Feature Set7%

Vendor Relationship / Reputation

Other (comment)

View Results
5.7k views3 Upvotes1 Comment

We are a financial services corporation looking to engage a consulting firm/vendor to help us define our corporate cyberdefense strategy and organisation, and establish a 3-year roadmap to go from individual/ independent/ varied technology solutions to corporate services, including a corporate SOC. Who would you recommend for this engagement? If you have gone through a similar journey, could you share your learnings?

Vendor/Product RecommendationFeedbackSecurity & GRC+1 more
CISO/CPO & Adjunct Law Professor in Finance (non-banking)a month ago
I don’t have an answer, but I have a question that may be helpful.  Do you have a business/product roadmap for the target timeframe?

The technology plan and associated cybersecurity program should support  business ...read more
413 views1 Comment

What methodologies or frameworks (like NIST CSF, CMMC, etc.) are you using to assess and track your cybersecurity maturity level?

Security & GRCStrategy & ArchitectureManagement Tools+6 more
Data Scientist in Consumer Goodsa year ago
we use CSF to assess and track cybersecurity maturity level
1
Read More Comments
43k views22 Upvotes61 Comments

In the age of cloud computing and remote working, is the traditional firewall dead?

CloudEnd-User Services & CollaborationEngineering+10 more

The firewall is dead46%

Long live the firewall53%

4.5k views2 Comments