Phishing Prevention Best Practices
Purpose:
The purpose of this policy is to establish guidelines for recognizing and preventing phishing attacks within the Pitaka platform, ensuring the security of user accounts and sensitive information.
Scope:
This policy applies to all employees, contractors, and third-party users who access Pitaka systems and data.
Policy
1. Awareness and Training:
All users must receive training on identifying phishing attempts and understanding the tactics used by attackers. Regular training sessions should be conducted to reinforce awareness and provide updates on new phishing techniques.
2. Email and Communication Security:
Users should verify the sender's email address before clicking on any links or downloading attachments. Emails containing urgent requests for personal information or financial details should be treated with skepticism. Look for signs of phishing, such as poor spelling and grammar, generic greetings, and suspicious URLs.
3. Reporting Suspicious Activity:
Users are encouraged to report any suspicious emails or messages to the IT security team immediately. A designated reporting mechanism should be established to streamline the reporting process and ensure prompt investigation.
4. Multi-Factor Authentication (MFA):
Multi-Factor Authentication (MFA) must be enabled for all user accounts to add an additional layer of security against unauthorized access. Users should be educated on the importance of MFA and how to set it up on their accounts.
5. Regular Updates and Security Patches:
All systems and software must be regularly updated to protect against vulnerabilities that could be exploited in phishing attacks. The IT team should monitor and apply security patches promptly to ensure systems remain secure.
6. Safe Browsing Practices:
Users should be trained to recognize secure websites (indicated by HTTPS) and avoid entering sensitive information on unsecured or unfamiliar sites. Encouraging the use of web filtering tools to block known phishing sites can help enhance security.
7. Email Filtering and Security Tools:
Email filtering solutions should be implemented to detect and block phishing emails before they reach users' inboxes. Security tools, such as anti-virus software, must be regularly updated to detect and mitigate phishing attempts.
8. Compliance with Legal and Regulatory Requirements:
This policy aligns with relevant regulations, including the Data Privacy Act of 2012 and the Cybercrime Prevention Act of 2012 in the Philippines. Regular audits should be conducted to assess compliance with this policy and the effectiveness of phishing prevention measures.
9. Policy Enforcement:
Violations of this policy may result in disciplinary actions, which may include revocation of access, termination of employment, or legal consequences, depending on the severity of the violation. The IT security team is responsible for enforcing compliance with this policy and monitoring adherence to phishing prevention best practices.