Phishing Awareness and Reporting

IT & Security Security Policies Last reviewed: 2025-12-15 Owner: IT Security Team

Overview

Phishing remains the most common attack vector used against financial institutions. Attackers use deceptive emails, text messages, and phone calls to trick employees into revealing sensitive information, clicking malicious links, or transferring funds. Every Global Bank employee has a responsibility to remain vigilant and report suspicious communications immediately.

Policy Reference: IT-SEC-002
Applies To: All employees, contractors, and third-party users

Types of Phishing Attacks

TypeDescriptionExample
Email phishingMass emails impersonating legitimate organisationsFake Microsoft 365 login page
Spear phishingTargeted emails directed at specific individuals or rolesEmail appearing to be from your CEO requesting urgent action
WhalingSpear phishing targeting senior executivesFake board communication requesting wire transfer
SmishingPhishing via SMS text messagesText message claiming to be from IT asking you to verify your account
VishingPhishing via voice callsCaller impersonating IT Service Desk requesting your password
Business Email Compromise (BEC)Compromised or spoofed executive email used for fraudulent requestsSupplier payment redirection request

How to Identify a Phishing Email

Be alert to the following warning signs:

  • Urgency or threats: Messages demanding immediate action, threatening account suspension, or imposing tight deadlines.
  • Unexpected sender: Emails from people you do not normally communicate with, or from external addresses that closely resemble internal addresses (e.g., servicedesk@gl0balbank.com).
  • Generic greetings: "Dear Customer" or "Dear User" instead of your name.
  • Suspicious links: Hover over links (do not click) to check the actual URL. Look for misspellings, unusual domains, or IP addresses.
  • Unexpected attachments: Files you were not expecting, particularly .zip, .exe, .docm, or .xlsm formats.
  • Requests for credentials: No legitimate Global Bank system or staff member will ever ask for your password via email.
  • Poor grammar or formatting: While not always present, spelling errors and unusual formatting can indicate a phishing attempt.
  • Mismatched sender information: The display name says "IT Service Desk" but the email address is from an external domain.

What to Do If You Receive a Suspected Phishing Email

  1. Do not click any links or open any attachments.
  2. Do not reply to the email or forward it to colleagues.
  3. Do not enter any credentials or personal information if you have already clicked a link.
  4. Report it immediately using one of the following methods:
    • Click the Report Phishing button in Microsoft Outlook (available in the ribbon toolbar).
    • Forward the email as an attachment to phishing@globalbank.com.
    • Call the IT Security Team on Ext. 2200 if you believe the threat is urgent.
  5. Delete the email from your inbox after reporting it.

What to Do If You Clicked a Phishing Link or Provided Credentials

  1. Disconnect from the network immediately (disable Wi-Fi, unplug Ethernet cable).
  2. Call IT Security on Ext. 2200 or the 24/7 Security Hotline at +44 20 7946 0199. Do not wait.
  3. Change your password from a different, known-safe device if possible.
  4. Do not delete the email — IT Security will need it for investigation.
  5. Document what you clicked and what information you may have entered.

Simulated Phishing Exercises

The IT Security Team conducts regular simulated phishing exercises to test employee awareness. These simulations are conducted without prior notice and are designed to mimic real-world attack techniques. If you fall for a simulated phishing email, you will be directed to a brief training module. Repeated failures may result in mandatory additional security awareness training, as determined by your line manager and IT Security.

Annual Training Requirement

All employees must complete the Phishing and Social Engineering Awareness module on the Global Bank Learning Portal annually. Completion is tracked and reported to department heads. Non-completion may affect your annual compliance certification.

Contact

  • Report phishing: phishing@globalbank.com or Outlook "Report Phishing" button
  • IT Security Team: itsecurity@globalbank.com | Ext. 2200
  • 24/7 Security Hotline: +44 20 7946 0199

Related Articles

Clean Desk Policy

Policy requiring all employees to secure sensitive documents and materials at their workstations, ensuring a clean desk at the end of each working day.

Updated 2025-06-15

Data Classification Policy

Policy defining the four data classification levels at Global Bank, along with handling requirements, labelling standards, and storage rules for each level.

Updated 2025-10-01

Email Security Guidelines

Guidelines for the secure use of corporate email, including encryption requirements, external communication rules, and data loss prevention controls.

Updated 2025-09-05