A financial institution receives frequent and varied email requests from customers for funds to be wired out of their accounts. Which verification activity would best help the institution avoid falling victim to phishing?
A.
Reviewing the customer's wire activity to determine whether the request is typical.
B.
Calling the customer at the phone number on record to validate the request.
C.
Replying to the customer via email to validate the sender and request.
D.
Reviewing the customer record to verify whether the customer has authorized wire requests from that email address.
Phishing attacks often target financial institutions by impersonating customers and requesting fraudulent fund transfers. The best way to verify such requests is to independently contact the customer using a trusted communication channel, such as the phone number on record.
Verbal confirmation via a trusted number prevents fraudsters from exploiting email spoofing or compromised accounts.
This aligns with industry best practices, including multi-factor verification for high-risk transactions.
A. Reviewing the customer's wire activity to determine whether the request is typical. (Incorrect)
While reviewing transaction history can help detect anomalies, fraudsters can mimic previous transaction patterns, making this method unreliable on its own.
B. Calling the customer at the phone number on record to validate the request. (Correct)
Direct phone verification ensures that the actual account owner is making the request.
This is a widely recommended anti-fraud measure in financial institutions.
C. Replying to the customer via email to validate the sender and request. (Incorrect)
If the email account is compromised, the fraudster will control the response.
Email validation is not secure for financial transactions.
D. Reviewing the customer record to verify whether the customer has authorized wire requests from that email address. (Incorrect)
While this can help identify unregistered emails, attackers often spoof or hack real customer emails.
Email-based verification alone is not sufficient.
IIA GTAG 16 – Security Risk: IT and Cybersecurity recommends multi-factor authentication for high-risk financial transactions.
IIA Standard 2120 – Risk Management highlights the need for robust fraud prevention mechanisms, including direct customer verification.
FFIEC (Federal Financial Institutions Examination Council) Cybersecurity Guidelines emphasize the importance of out-of-band authentication for wire transfers.
Explanation of Answer Choices:IIA References:Thus, the correct answer is B. Calling the customer at the phone number on record to validate the request.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit