Sample Electronic Fraud Prevention Guidelines:

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Document History


Version Date Revised By Description
1.0 1 August 2009 <Current date> Michael D. Peters <Owner's name> This version replaces any prior version.


Document Certification


Description Date Parameters
Designated document re-certification cycle in days: 30 - 90 - 180 - 365 <Select cycle>
Next document re-certification date: 1 August 2010 <Date>


Sample Electronic Fraud Prevention Guidelines

The <Your Company Name> (the "Company”) Electronic Fraud Prevention Guidelines defines objectives for establishing specific standards on the assessment and ongoing management of vulnerabilities.

The Electronic Fraud Prevention Guidelines builds on the objectives established in the Vulnerability Management Standard, and provides specific instructions and requirements for assessing and prioritizing vulnerabilities.

I. Scope

All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems, are covered by this policy and must comply with associated standards and guidelines.

Information Assets are defined in the Asset Identification and Classification Standard.

Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

Risk refers to the likelihood of loss, damage, or injury to information assets. Risk is present if a threat can exploit an actual vulnerability to adversely impact a sensitive information asset.

Sensitive Information refers to information that is classified as Restricted or Confidential. Refer to the Information Classification Standard for confidentiality classification categories.

Threats are the intentional or accidental actions, activities or events that can adversely impact Company information assets, as well as the sources, such as the individuals, groups, or organizations, of these events and activities.

Vishing is the criminal practice of using social engineering over the telephone system to gain access to private personal and financial information from the public for the purpose of financial reward.

Vulnerabilities refer the weaknesses in information system and procedures including technical, organizational, procedural, administrative, or physical weaknesses.

II. Objectives

The below guidelines are to be followed when mitigating the risk brought about by the threat of Phishing and Vishing attacks against the Company:

Phishing and Vishing Detection Procedures

Phishing and Vishing take-down initiation can come from several sources. Customers as well as non-customers are encouraged to forward phishing emails or phone based Vishing attacks to the Company email address that is monitored by Information Security Incident Response team members. This email address is: abuse@yourcompany.com.

Customer Support

  • Phishing stuffers or other forms of written publications should encourage customers to be on the lookout for and report suspicious communications and obvious Phishing or Vishing activity to any Company representative who should in turn report this information to Information Security.


Third Party Support

  • Phishtank.com
  • Phonephishing.info
  • GonePhishing.org
  • Millersmiles.co.uk
  • Garwarner.blogspot.com: Gary Warner who performs malware and phishing research also sends notification to phished entities when he finds them on the web.


Vishing Takedown Procedures

Phishing phone calls usually appear to come from a well-known organization and ask for your personal information, such as credit card number, social security number, account number or password, and so forth. Usually, phone phishing attempts pretend to come from services or companies with which you do not even have anything to do.

While phishing e-mails usually tell you to click a link to a website and submit your personal information, phone-based phishing directly ask you for such information. Legitimate organizations would never request this information of you via email or phone.

  • Identification
  1. Using the caller’s phone number, perform a White Pages reverse lookup of the number:
    • Phonenumber.com/reversephone
    • Enter the phone number in the “Reverse Phone” lookup.


    • The name and service provider will be returned:
      • Make note of the name and phone number. Navigate to the service provider’s website (Google it if necessary). Search the service provider’s contact us information for their abuse contact email address. Since AT&T bought South Central Bell or Bell South, go to the AT&T website:
        • att.com
        • Email address: abuse@att.net
    • Next, compose an email like the one below being sure to BCC the FBI:


      • This process is normally sufficient. If, for some reason, the Vishing attack persists, call the legal, abuse, or support line of the service provider. Explain the attack and that the authorities have been notified. Usually, the FBI will contact the service provider directly for the information on the subscriber for their case file and direct the subscriber to take down the line, which never fails.