Menu

Scratching the Surface: The FTC’s Phishing Tips for Victim Companies Are a Good First Step but Companies Should Not Stop There

Business Transactions   |   Consumer Finance   |   Cybersecurity and Privacy   |   Life, Annuity, and Retirement Litigation   |   Technology   |   Telecommunications   |   March 13, 2017
Download   
Share Page

Phishing tips for victimsIn one type of phishing, fraudsters impersonate your business when contacting consumers. Phishing victims think they’re giving information to your company — by phone or Internet —but instead give personal or financial information to the fraudster. Imposter scams are on the rise and have surpassed identity theft as the second most common consumer complaint received by the FTC, according to recent data. The FTC recently issued a short video and press release offering tips for businesses impersonated in a phishing scam. Those tips are a good first step. But sophisticated businesses and financial institutions generally should not stop there when dealing with an expert phisher.

The Federal Trade Commission recognizes that phishing is as much a problem for businesses as it is for consumers. For businesses, the risks include loss of goodwill, damaged reputation, and financial ramifications if the consumer decides to take his or her business elsewhere. We agree. In addition, Carlton Fields’ 2017 Class Action Survey reports that data privacy and security class actions will be one of the “next waves” of major litigation. With so much at risk, however, the FTC’s recommendations may not always go far enough to protect these businesses’ interests.

The FTC advises businesses to notify customers and law enforcement immediately if a fraudster is impersonating your business. The agency says that failing to do so could lose customer good will. But, in some cases, reacting with murky information could scare customers needlessly. It may also divert time and resources from preventing harm. Your first priority should often be understanding the real impact of the scam and taking steps to prevent actual harm. For example, if a fraudster seeks login information from your customers, focus on resetting website passwords before you focus on customer notification, or at least pursue these work streams in tandem.

In its video, the FTC recommends that in the wake of a phishing scam, companies should tell consumers to look out for emails or text messages soliciting information and remind customers that no legitimate business would solicit personal or financial information through email or text. While a useful tip for responding to a phishing scam, this message should permeate your entire online relationship with customers. An ounce of prevention is worth a pound of cure. Likewise, create in advance a hacking, phishing, or data breach plan with clear lines of responsibility and anticipated actions. If  you choose to communicate about the scam with consumers, consider not only the content of the communication, but also the method — a passive message on your website, outbound emails, or a press release are options. Each option has benefits and drawbacks to consider. 

The FTC recommends notifying the Internet Crime Complaint Center at ic3.gov, as well as the FTC at ftc.gov/complaint. Businesses could also forward any phishing emails to the Anti-Phishing Working Group at [email protected]. In our view, this is a fine step so long as you have also focused on preventing consumer harm. If cybersecurity poses a significant risk to your business, it’s important to know and develop in advance the government resources that most benefit your company and your customers. Establishing relationships before a crisis can net you better information sooner when an actual event occurs. Regional regulators for your industry and law enforcement cybercrime liaisons are a good place to start.

Lastly, the FTC advises that if customers give up their personal or financial information, the business should refer the customer to the federal government’s resource for reporting and recovering from identity theft: identitytheft.gov. Our experience, however, is that only amateur phishers stop trying after one bite. Once a phishing incident is managed, companies victimized by cybercrime should take steps toward prevention. This may include enhancing security standards going forward, providing customers with free credit monitoring, or revamping major technology. Management debriefs to discuss lessons learned will prepare you for the next cyber crisis.

The bottom line is that the FTC’s tips on responding to phishing are a good start. Businesses, especially the big fish — high-profile brands and sizable financial institutions — would be well served to incorporate those tips, along with the pointers identified above, in their cybersecurity program and incident response plans.


©2019 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications

Disclaimer

The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.