Phishing & Social Engineering
What is the most common red flag in a phishing email?
Unexpected sender, suspicious links, or urgent language.
True or False: You should use the same password for work and personal accounts.
False
What type of information is considered PII (Personally Identifiable Information)?
Name, Social Security Number, address, account number, or anything that identifies an individual.
Why is locking your computer when you step away important?
To prevent unauthorized access to systems or sensitive information.
Who should you contact first if you think your computer has been hacked?
The IT/security team immediately.
If you receive a suspicious email that looks like it’s from IT, what’s the first action you should take?
Report it using the phishing report button or forward to IT/security — do not click or reply.
What is MFA and why is it important for FMFC?
Multi-Factor Authentication; it adds an extra layer of security beyond passwords to protect accounts and transactions.
What is the safest way to send sensitive customer documents, such as tax returns or bank statements, to a client?
By using secure, encrypted email or an approved secure file transfer system — never regular email.
What should you do before connecting a USB drive to your work computer?
Ensure it’s approved and scanned by IT/security — avoid unknown or personal drives.
What is ransomware and how does it impact financial institutions?
Malware that encrypts files and demands payment, potentially halting operations and risking data loss.
What’s the term for an attacker pretending to be a CEO or manager to trick staff into sending money or data?
Business Email Compromise (BEC) or CEO Fraud.
How often should you change your password if you suspect it’s been compromised?
Immediately.
Why is encrypting emails with sensitive data critical in finance?
It prevents unauthorized access to customer financial information in transit.
Why should you never install unauthorized software on your work laptop?
It could introduce malware or violate security policies.
What does the term “zero-day vulnerability” mean?
A security flaw unknown to the vendor, with no patch available yet.
Why should you never click on links in an unsolicited email, even if it looks legitimate?
They could lead to fake websites or malware downloads.
What makes a password strong — length, complexity, or both?
Both — at least 12+ characters, mixing letters, numbers, and symbols.
What should you do if you accidentally send client financial info to the wrong recipient?
Report immediately to IT/security and management — do not try to “fix it” quietly.
What is patching and why does it matter for cybersecurity?
Updating software to fix vulnerabilities that attackers could exploit.
Why is reporting a suspected phishing email — even if you didn’t click — important?
It helps IT block the threat and protect others from falling victim.
What is “spear phishing” and how does it differ from regular phishing?
Spear phishing is highly targeted at specific individuals using personal details, while regular phishing is broad and generic.
Why are password managers safer than writing down your passwords?
They securely store and generate unique, complex passwords without exposing them on paper or sticky notes.
What is DLP (Data Loss Prevention) and how does it protect financial institutions?
A technology that monitors and prevents unauthorized sharing or transfer of sensitive data.
What’s the safest way to use public Wi-Fi when accessing work systems?
Use a VPN (Virtual Private Network) to encrypt your connection.
What’s the difference between a vulnerability and a threat?
A vulnerability is a weakness in a system; a threat is something that can exploit that weakness.