Email authentication protocols like DMARC, DKIM, and SPF work together to verify that emails sent from your domain are legitimate. This digital seal of authenticity can prevent scammers from spoofing your email address to phish your customers, suppliers, or employees.

This can’t prevent you from receiving phishing emails sent from external domains. But, it can help thwart some of the most devastating “whaling,” CEO fraud, or business email compromise (BEC) scams.

You should already have mandatory, standard fraud awareness training in place. But, you can also use regular phishing simulations to put this training to the test.

Engage in random controlled phishing simulations that mimic the attacks your workers are likely to encounter. Don’t make the tests easy, either: to accomplish your goals, tests must be difficult and realistic. Tracking who falls for the simulated attack — and who reports the message — enables you to provide targeted, follow-up training to those who need it most.

The traditional IT security model consists of a stringent outer shell to stop attacks from outside, while internal users are usually trusted. A “zero-trust” approach assumes that threats can come from anywhere, both inside and outside your network.

In practice, this “never trust, always verify” approach means validating every user and every device trying to access sensitive information... every single time. In a similar vein, segmenting your network and enforcing strict access controls can help contain damage, even when one part of your system is compromised.

As a merchant, you regularly interface with critical payment systems containing valuable financial information. Your banking and payments stack is the centerpiece of your operation, so access here should be restricted to as few people as possible.

Designate a single computer (or set of computers) exclusively for initiating wires, accessing your payment processor dashboard, and logging into online banking. Do not pay bills, record transactions, or monitor analytics anywhere else. Set up multi-factor authentication for each of these accounts so that you can monitor and thwart attempted logins elsewhere.

In order to prevent phishing attacks, you need to be prepared. At the same time, you need a clear plan of action in case an attack actually occurs.

Your response strategy should be designed to kick in the moment an attack is identified. It should outline immediate steps: who to notify, how to isolate compromised accounts or machines, when to change passwords, and what your communication strategy will be for affected customers or partners. Practice and rehearse the plan so that your team can respond quickly and effectively under pressure.