Swiss National Life

Keep you company protected from cyber crime

Social Engineering & Phishing Attacks

1. Employee Security Awareness & Training Policy

  • Conduct mandatory phishing awareness training for all employees.
  • Perform regular phishing simulations to test employee responses.
  • Teach employees to identify red flags (e.g., urgent language, unexpected attachments, spoofed email addresses).
  • Encourage a culture of security where employees report suspicious messages.

2. Email Security & Phishing Protection Policy

  • Enforce email filtering and scanning to block phishing emails.
  • Require multi-factor authentication (MFA) for email access.
  • Implement DMARC, SPF, and DKIM to prevent email spoofing.
  • Disable automatic downloading of email attachments and embedded scripts.

3. Multi-Factor Authentication (MFA) & Access Control Policy

  • Require MFA for all sensitive accounts, including email, financial, and administrative accounts.
  • Implement role-based access control (RBAC) to limit user permissions.
  • Prohibit sharing of login credentials or storing passwords in unsecured locations.
  • Regularly audit user access rights to revoke unnecessary privileges.

4. Incident Reporting & Response Policy

  • Require employees to report suspicious emails, phone calls, or messages immediately.
  • Establish a clear response plan for phishing attempts and social engineering attacks.
  • Conduct post-incident reviews to learn from security breaches.
  • Provide a dedicated security team or hotline for reporting attacks.

5. Social Media & Public Information Policy

  • Prohibit employees from sharing sensitive work-related information online.
  • Restrict job roles and company hierarchy details from being publicly available.
  • Educate employees on social engineering tactics using LinkedIn, Facebook, and Twitter.
  • Limit employee personal details on corporate websites to reduce spear-phishing risks.

6. Financial & Wire Transfer Security Policy

  • Require verbal confirmation (call-back verification) before processing wire transfers.
  • Establish dual authorization for high-value transactions.
  • Restrict email approvals for financial transactions—use secure internal portals.
  • Implement fraud detection mechanisms for unusual financial activities.

7. IT Helpdesk Verification Policy

  • Train IT and support teams to verify caller identity before assisting with password resets or account changes.
  • Implement a pre-approved employee verification method (e.g., security questions or PINs).
  • Prohibit employees from giving credentials or MFA codes over the phone or email.
  • Maintain logs of support requests to track suspicious activity.

8. USB & External Device Security Policy

  • Prohibit the use of unknown USB drives and external storage devices.
  • Require IT approval before using personal storage devices on company systems.
  • Implement endpoint security solutions to detect unauthorized devices.
  • Conduct regular scans for malware from external sources.

9. Secure Browsing & Website Verification Policy

  • Enforce web filtering to block access to malicious or phishing websites.
  • Require employees to verify secure connections (HTTPS, valid SSL certificates) before entering credentials.
  • Prohibit entering company credentials on third-party, non-corporate sites.
  • Use password managers to prevent credential reuse on fake login pages.

10. Vendor & Third-Party Security Policy

  • Require security assessments for third-party vendors handling company data.
  • Establish secure communication channels for vendor interactions.
  • Prohibit sharing of sensitive company data without encryption or prior approval.
  • Implement vendor access controls with time-limited or least-privilege access.