1 / 54

Computer Fraud – “Phishing”

Computer Fraud – “Phishing”. Identity Theft in Financial Services. 6/30/04. Quotes.

kolton
Download Presentation

Computer Fraud – “Phishing”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Fraud – “Phishing” Identity Theft in Financial Services 6/30/04

  2. Quotes • “…The use of digital media also can lend fraudulent material an air of credibility. Someone with a home computer and knowledge of computer graphics can create an attractive, professional-looking Web site, rivaling that of a Fortune 500 company…” Arthur Levitt Former Chairman of the SEC

  3. Quotes • “…The Internet is a perfect medium to locate victims and provide an environment where victims do not see or speak to the “fraudsters”. Anyone in the privacy of their own home can create a very persuasive vehicle for fraud over the Internet…” • Louis J. Freeh • Former FBI Director

  4. Session Objectives • Raise awareness of threats & risks of phishing • Outline process to reduce the impact of phishing This is not a technical session.

  5. Session Outline • Phishing 101 • Risks • Trends • Examples • Action Plan Ideas • Responses & Resource Examples • Summary

  6. Phishing 101 • Internet • Connectivity • Access • Anonymity • Velocity • Software vulnerabilities

  7. Phishing 101 • Phishing uses e-mail to lure recipients to bogus websites designed to fool them into divulging personal data.

  8. Phishing 101 • E-mail • Spoofed address • Convincing • Sense of urgency • Embedded link (but not always)

  9. Phishing 101 • Website • Spoofed/similar address • Spoofed look/feel • Authentication screen/pop-up window • Possible redirect to actual website

  10. Phishing 101 • Scam relies on: • Unrecognized spam • % w/ existing relationship • Ease of registering a website • Social engineering

  11. Risks • Consumer • ID Theft • Open new accounts • Fraud • Unauthorized credit card transactions • A/C withdrawals

  12. Risks • Organization Impersonated • Reputation Risk • Impression of weak security • Impression of ignorance • Inadequate education program • Inadequate response program • Negative publicity • Strategic Risk • Impact to on-line strategy (i.e. adoption/retention rates)

  13. Risks • Organization Impersonated • Transaction Risk • Fraudulent transactions • Legal Risk • Possible litigation • Operational Risk • Added cost to respond/assist consumers

  14. Trends Anti-Phishing Working GroupThe Anti-Phishing Working Group (APWG) is an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing. APWG Members- Over 400 members- Over 250 companies- 8 of the top 10 US banks- 4 of the top 5 US ISPs- Over 100 technology vendors- Law enforcement from Australia, CA, UK, USA

  15. Trends Source: Anti-Phishing Working Group Phishing Attach Trends Report s- March 2004 & May 2004

  16. Trends Source: Anti-Phishing Working Group Phishing Attach Trends Report - May 2004

  17. Examples (June 2004) Source: Anti-Phishing Working Group Phishing Archive

  18. Examples (June 2004) Source: Anti-Phishing Working Group Phishing Archive

  19. Examples (June 2004) Source: Anti-Phishing Working Group Phishing Archive

  20. Examples (March 2004) Source: Anti-Phishing Working Group Phishing Archive

  21. Examples (March 2004) Source: Anti-Phishing Working Group Phishing Archive

  22. Examples (March 2004) Source: Anti-Phishing Working Group Phishing Archive

  23. Examples (May 2004) Source: Anti-Phishing Working Group Phishing Archive

  24. Examples (May 2004) Source: Anti-Phishing Working Group Phishing Archive

  25. Examples (May 2004) Source: Anti-Phishing Working Group Phishing Archive

  26. Examples (May 2004) Source: Anti-Phishing Working Group Phishing Archive

  27. Examples (May 2004) Source: Anti-Phishing Working Group Phishing Archive

  28. Examples (May 2004) Source: Anti-Phishing Working Group Phishing Archive

  29. Examples (FYI) • Internet Explorer browser exploit allows the URL in the web browser to be “masked”. • Users would not know by looking at the browser window that they were at a different site than indicated. • Patch issued (how many users installed?)

  30. Related Examples (July ‘03) • Twist – newspaper vs. e-mail • CU official thought suspicious (service area) • Site www.centurycredit.org mirrored www.centurycu.org (NCUA logo too) • Collected personal info. & loan app fees • Toll free # • Site shut down (GA), but ads persist

  31. Action Plan Ideas • Education • Protect on-line identity of FI • Response Plan

  32. Action Plan Ideas - Education • Self • Review resource sources* • Institution • Training / Policy Development • Awareness • Handling complaints & reports of suspicious e-mails/sites • Protect on-line identity of FI* • Response Plan* * More info. on other slides

  33. Action Plan Ideas - Education • Member / Customer • Communication Methods • Internet Banking Agreements • Newsletters • Statement Stuffers • Recordings when on “hold” • Website • Messages / FAQs / Advisories / Links to outside resources/ Current Fraud link

  34. Action Plan Ideas - Education

  35. Action Plan Ideas - Education

  36. Action Plan Ideas - Education

  37. Action Plan Ideas - Education

  38. Action Plan Ideas - Education • Member / Customer • Content • We will never ask for xxx via e-mail • We will never alert you of xxx via e-mail • Always feel free to call us at # on statement • Always type in our site URL (see statement / newsletter / previous bookmark)

  39. Action Plan Ideas - Education • Member / Customer • Content (cont’d) • Sites can be convincingly copied • Report suspicious e-mails & sites • Where to get more advice on phishing • Importance of patching • How to validate site (via cert or seal) • Where to go for ID theft help

  40. Action Plan Ideas – Protection of FI’s Online Identity • Considerations • Review related regulatory issuances, such as: • NCUA LTR 02-CU-16 Protection of CU Internet Addresses* • FFIEC Information Security Booklet* *See IS&T portion of NCUA’s website

  41. Action Plan Ideas – Protection of FI’s Online Identity • Considerations (cont’d) • Keep certificates up-to-date • Practice good domain name controls • Don’t let URLs lapse • Purchase similar URLs • Search for similar URLs

  42. Action Plan Ideas - Response • Notification Considerations • Attorney • Law Enforcement • Bonding Co. • Regulator(s) • Domain host / owner / registrar • Members / Customers

  43. Action Plan Ideas - Response • Notification Considerations (cont’d) • Press • Suspicious Activity Report • Internet Fraud Compliant Center • FTC • Industry Fraud Associations / Groups

  44. Responses & Resource Examples • NCUA (www.ncua.gov) • Specific guidance: • (8/03) LTR 03-CU-12 Fraudulent Newspaper Advertisements, and Websites by Entities Claiming to be Credit Unions • (04/04) LTR 04-CU-05 Fraudulent E-Mail Schemes • (05/04) LTR 04-CU-06 E-Mail & Internet Related Fraudulent Schemes Guidance

  45. Responses & Resource Examples • NCUA (www.ncua.gov) • Related guidance: • (12/02) LTR 02-CU-16 Protection of CU Internet Addresses • (7/02) LTR 02-FCU-11 Tips to Safely Conduct Financial Transactions Over the Internet • (09/01) LTR 01-CU-09 Identity Theft & Pretext Calling • Working with FBI, FFIEC, SSAs, Newspaper Association • Article in NCUA News

  46. Responses & Resource Examples • FDIC (www.fdic.gov) • (03/04) FIL-27-2004 Guidance on Safeguarding Customers Against E-mail & Internet-Related Fraudulent Schemes • OTS (www.ots.gov) • (03/04) Memo – Phishing & E-mail Scams

  47. Responses & Resource Examples • OCC (www.occ.gov) • (09/03) Alert – Customer Identity Theft: E-mail-Related Fraud Threats • FI Trade Associations • Most have issued guidance to FIs and consumers • FI Industry Consortium • Subcommittee addressing issue

  48. Responses & Resource Examples • FFIEC (www.ffiec.gov) • Information Security Booklet • FTC (www.ftc.gov) • (7/03) How Not to Get Hooked by the “Phishing” Scam • (9/02) ID Theft: When Bad Things Happen to Your Good Name • Can report incidents

  49. Responses & Resource Examples • Treasury (www.treas.gov) • (1/04) Statement Warning about Recent Fraudulent E-mail Scams • Dept. of Justice (www.usdoj.gov & www.cybercrime.gov) • (2004) Special Report on “Phishing” • Also includes links to on-line protection & response notifications from various FIs. • FBI (www.fbi.gov & www.ifccfbi.gov) • (7/03) FBI Says Web “Spoofing” Scams are a Growing Problem • Also see Internet Fraud Complaint Center (IFCCBI) for info on reporting incidents

  50. Responses & Resource Examples • Better Business Bureau (www.bbb.org/phishing) • Issuing media alerts through its national and local offices. • www.callforaction.org • International, non-profit network of consumer hotlines and information. Worked with Visa to develop much of its material on ID theft.

More Related