FTC Guidance for Handling Phishing Scams that Falsely Invoke Your Business's Name
It seems to be a daily occurrence that we receive an e-mail from a company we generally recognize, requesting that we respond with personal information, including passwords, account numbers, etc. Hopefully, you have not fallen victim to such a “phishing” scam. Nonetheless, if you own or are managing a business, preventing your employees from being duped by a phishing scam is only a portion of your concern. Businesses must also be prepared to assist their customers if those customers fall victim to phishing scams in which the scammers impersonated your business. Recognizing the difficult position a business is put in when contacted by upset customers who responded to a phishing email appearing to have originated from that company, the Federal Trade Commission (FTC) recently issued some helpful tips businesses should take in responding to such consumers, summarized below.
First, once a business becomes aware that its name is being used in a phishing scam, it should notify customers of the scam as soon as possible. The notification can be made through social media or via a letter or e-mail to customers. It is also important to remind customers that legitimate businesses would not solicit sensitive personal information using insecure channels, such as e-mail.
Second, the business should report the phishing scam to the FBI’s Internet Crime Complaint Center. The business should also encourage its customers to forward such phishing emails to the Anti-Phishing Working Group, which is an international coalition unifying the global response to cybercrime through data exchange, research, and public awareness.
Third, the business should assist customers who believe they are victims of identity theft due to the phishing scam by directing them to www.IdentityTheft.gov, where they can report and potentially recover any losses that resulted from the identity theft. The business can also direct customers to the FTC’s consumer cite for additional help.
Lastly, the phishing incident should be viewed as a reminder to review and update security practices governing sensitive customer information. Scammers’ methods of attack wherein customers’ sensitive personal information is compromised are constantly changing, and it is important for businesses to ensure their policies and practices are up-to-date.