Enter to open, tab to navigate, enter to select
FTC Releases Guidance on How Businesses Can Respond to and Stop Phishing Scams
Practical Law Legal Update w-006-7820 (Approx. 4 pages)
FTC Releases Guidance on How Businesses Can Respond to and Stop Phishing Scams
by Practical Law Intellectual Property & Technology
| Published on 06 Mar 2017 • USA (National/Federal) |
The FTC has released video and print guidance for businesses on how to respond to and prevent phishing scams.
On March 6, 2017, the FTC released guidance and a video advising businesses on how to respond to phishing scams that falsely use their company names in customer emails to obtain personal information.
The FTC specifically advised businesses to do the following after learning about the phishing scam:
- Notify consumers of the scam. The FTC suggests that as soon as possible, business should:
- announce the phishing scam through social media sites or by sending an email or letter to its customers;
- warn customers to ignore suspicious emails or texts purporting to be from the company; and
- remind customers that legitimate businesses never solicit sensitive personal information through insecure channels like email or text messages.
- Contact law enforcement. The FTC advises that companies should:
- report the scam to the FBI's Internet Crime Complaint Center; and
- suggest that affected customers forward any phishing emails to the Anti Phishing Working Group, a public-private partnership against cybercrime.
- Provide resources for affected consumers. Businesses should direct consumers who believe they may be the victim of identity theft because of the phishing scam to:
- the FTC's IdentityTheft.gov website if the consumers believe that they may be victims of identity theft because of the phishing scam; and
- resources on the FTC's consumer information site where they can learn how to protect themselves online and avoid phishing attacks.
- Update security practices. The FTC reminds companies to regularly update security practices to protect against phishing attacks by:
- reviewing the FTC's data security portal for information on securing sensitive customer information; and
- following case developments and publications such as the FTC's Start with Security guide and the Protecting Personal Information: A Guide for Business. The FTC also recommends viewing the brief videos from its resource library for businesses.
Similarly, in March 2017, the FTC released a Staff Perspective study recommending that businesses can prevent their domains from being used in phishing scams by using:
- Domain level email authentication to allow receiving mail servers to verify that a message claiming to be from the business actually came from a domain authorized by the business.
- A complementary scheme called Domain Message Authentication Reporting & Conformance which, among other things, enables businesses to:
- gather intelligence on how phishers and other scam artists are misusing their domains; and
- instruct receiving email servers on how to treat unauthenticated messages that claim to be from the business's domain.
These recent pronouncements may signal the FTC's interest in enforcement against businesses that fail to take reasonable security measures to protect against phishing scams.