Consisting of four basic strategies and two best practices, the framework could serve as a checklist for firms lacking cyber expertise

The basic recommended actions are:

  • Collect and share intelligence: Gather actionable intelligence from consumers, and disseminate it across the relevant departments
  • Educate employees and customers: Develop education programs to heighten awareness of phishing tactics among both employees and customers
  • Catalog communication channels:Maintain a catalog of telephone numbers used by the institution and third-party partners to prevent spoofing
  • Leverage anti-phishing technology: Collaborate with solution providers to deploy anti-phishing solutions

The framework recommends two best practices to augment the four core actions:

  • Establish a structured reporting intake process: Design a fraud-and-phishing intake process with clear, concise questions to gather actionable intelligence while minimizing the burden on consumers
  • Build an infrastructure for incident reporting: Set up an “abuse box” infrastructure that enables consumers to report phishing attempts, resulting in the timely gathering and sharing of threat insights across internal stakeholders as well as the broader financial sector