01. FUNDAMENTAL PRINCIPLES
Zero Tolerance: Any impersonation of the company or its contacts is prohibited. Any fraudulent activity will be investigated and, where appropriate, reported to authorities (including the Florida Department of Legal Affairs under Chapter 668 of the Florida Statutes).
Always Verify: Any atypical request (urgent payment changes, sending credentials, unexpected attachments) must be confirmed through an alternative, verified communication channel (e.g., a phone call to a known number).
Shared Responsibility: Security is an obligation of every member of the organization; customers are also encouraged to report suspicious communications.
02. MANDATORY TECHNICAL CONTROLS
Email Authentication: All corporate domains (carvisionpro.com, etc.) must implement SPF, DKIM (2048-bit keys), and DMARC with a reject or quarantine policy (p=reject or p=quarantine), configured at 100%. Adoption of BIMI will be evaluated.
Multi-Factor Authentication (MFA): Phishing-resistant MFA (e.g., FIDO2/WebAuthn) is mandatory for access to corporate email, ERP/CRM (Odoo), website administration panels, and the payment gateway (in compliance with PCI DSS 4.0).
Navigation and Content Protection: Advanced URL and attachment filtering will be implemented, external emails will be clearly marked ([EXTERNAL] in subject or body), and when necessary, remote browser isolation for high-risk links will be used.
E-commerce Security: A controlled inventory of third-party scripts on the website will be maintained, in accordance with PCI DSS 4.0 requirements 6.4.3 and 11.6.1.
Access Management: The principle of least privilege will be applied, with quarterly access reviews on all platforms.
03. AWARENESS AND TRAINING
A continuous program will be executed including:
- New employee induction on phishing risks and reporting procedures.
- Mandatory annual training for all staff.
- Monthly "nudge" reminders with recent threat examples.
- Quarterly phishing simulations segmented by role (e.g., vendor fraud simulations for finance; credential theft simulations for customer service).
The following will be measured and reported:
- Click rate on simulations.
- Incident reporting rate (suspicious emails reported).
- Average response time to a real incident.
04. INCIDENT RESPONSE (PLAYBOOK)
a) Report: Any employee who identifies a suspicious email or message must:
- Use the "Report Phishing" button in their email client (if available).
- Or forward it as an attachment (to preserve headers) to security@carvisionpro.com.
- Never click on links or open attachments from the suspicious message.
- For critical confirmations (bank account changes, payments), use an alternative verified channel (known phone number obtained in person or from a trusted source).
b) Contain: The security team (or designated responsible person) will isolate affected mailboxes or endpoints, revoke active sessions, and block malicious domains/URLs in email and DNS filters.
c) Eradicate and Recover: Compromised credentials will be reset, DKIM keys rotated if necessary, malicious messages purged from mailboxes, and security hygiene performed on endpoints (antivirus scans, deletion of temporary files).
d) Learn: Each incident will generate a post-mortem analysis to adjust technical rules, update training, and improve processes. Lessons learned will be incorporated into upcoming simulations.
05. METRICS AND COMPLIANCE
Key KPIs:
- Percentage of authenticated email (successful SPF/DKIM/DMARC).
- MFA adoption rate on critical accounts (100% target).
- Phishing reporting rate (reported emails / malicious emails detected by filters).
- Mean Time to Contain (MTTR) from detection to containment.
Review: This policy and its effectiveness will be reviewed semi-annually as part of the Information Security Management System (ISMS) based on ISO 27001:2022. Simulation results and metrics will be presented to senior management.
06. CONTACT INFORMATION
Contact for phishing reports:
Email: security@carvisionpro.com
(Customers may also report impersonations to this address)
Updates: This policy may be updated periodically. The current version is published at www.carvisionpro.com/legal/anti-phishing.