540 likes | 659 Views
Computer Fraud – “Phishing”. Quotes. “…The use of digital media also can lend fraudulent material an air of credibility. Someone with a home computer and knowledge of computer graphics can create an attractive, professional-looking Web site, rivaling that of a Fortune 500 company…”.
E N D
Quotes • “…The use of digital media also can lend fraudulent material an air of credibility. Someone with a home computer and knowledge of computer graphics can create an attractive, professional-looking Web site, rivaling that of a Fortune 500 company…” Arthur Levitt Former Chairman of the SEC
Quotes • “…The Internet is a perfect medium to locate victims and provide an environment where victims do not see or speak to the “fraudsters”. Anyone in the privacy of their own home can create a very persuasive vehicle for fraud over the Internet…” • Louis J. Freeh • Former FBI Director
Session Objectives • Raise awareness of threats & risks of phishing • Outline process to reduce the impact of phishing This is not a technical session.
Session Outline • Phishing 101 • Risks • Trends • Examples • Action Plan Ideas • Responses & Resource Examples • Summary
Phishing 101 • Internet • Connectivity • Access • Anonymity • Velocity • Software vulnerabilities
Phishing 101 • Phishing uses e-mail to lure recipients to bogus websites designed to fool them into divulging personal data.
Phishing 101 • E-mail • Spoofed address • Convincing • Sense of urgency • Embedded link (but not always)
Phishing 101 Website • Spoofed/similar address • Spoofed look/feel • Authentication screen/pop-up window • Possible redirect to actual website
Phishing 101 • Scam relies on: • Unrecognized spam • % w/ existing relationship • Ease of registering a website • Social engineering
Risks • Consumer • ID Theft • Open new accounts • Fraud • Unauthorized credit card transactions • A/C withdrawals
Risks • Organization Impersonated • Reputation Risk • Impression of weak security • Impression of ignorance • Inadequate education program • Inadequate response program • Negative publicity • Strategic Risk • Impact to on-line strategy (i.e. adoption/retention rates)
Risks • Organization Impersonated • Transaction Risk • Fraudulent transactions • Legal Risk • Possible litigation • Operational Risk • Added cost to respond/assist consumers
Trends Anti-Phishing Working GroupThe Anti-Phishing Working Group (APWG) is an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing. APWG Members- Over 400 members- Over 250 companies- 8 of the top 10 US banks- 4 of the top 5 US ISPs- Over 100 technology vendors- Law enforcement from Australia, CA, UK, USA
Trends Source: Anti-Phishing Working Group Phishing Attach Trends Report s- March 2004 & May 2004
Trends Source: Anti-Phishing Working Group Phishing Attach Trends Report - May 2004
Examples (June 2004) Source: Anti-Phishing Working Group Phishing Archive
Examples (June 2004) Source: Anti-Phishing Working Group Phishing Archive
Examples (June 2004) Source: Anti-Phishing Working Group Phishing Archive
Examples (March 2004) Source: Anti-Phishing Working Group Phishing Archive
Examples (March 2004) Source: Anti-Phishing Working Group Phishing Archive
Examples (March 2004) Source: Anti-Phishing Working Group Phishing Archive
Examples (May 2004) Source: Anti-Phishing Working Group Phishing Archive
Examples (May 2004) Source: Anti-Phishing Working Group Phishing Archive
Examples (May 2004) Source: Anti-Phishing Working Group Phishing Archive
Examples (May 2004) Source: Anti-Phishing Working Group Phishing Archive
Examples (May 2004) Source: Anti-Phishing Working Group Phishing Archive
Examples (May 2004) Source: Anti-Phishing Working Group Phishing Archive
Examples (FYI) • Internet Explorer browser exploit allows the URL in the web browser to be “masked”. • Users would not know by looking at the browser window that they were at a different site than indicated. • Patch issued (how many users installed?)
Related Examples (July ‘03) • Twist – newspaper vs. e-mail • CU official thought suspicious (service area) • Site www.centurycredit.org mirrored www.centurycu.org (NCUA logo too) • Collected personal info. & loan app fees • Toll free # • Site shut down (GA), but ads persist
Action Plan Ideas • Education • Protect on-line identity of FI • Response Plan
Action Plan Ideas - Education • Self • Review resource sources* • Institution • Training / Policy Development • Awareness • Handling complaints & reports of suspicious e-mails/sites • Protect on-line identity of FI* • Response Plan* * More info. on other slides
Action Plan Ideas - Education • Member / Customer • Communication Methods • Internet Banking Agreements • Newsletters • Statement Stuffers • Recordings when on “hold” • Website • Messages / FAQs / Advisories / Links to outside resources/ Current Fraud link
Action Plan Ideas - Education • Member / Customer • Content • We will never ask for xxx via e-mail • We will never alert you of xxx via e-mail • Always feel free to call us at # on statement • Always type in our site URL (see statement / newsletter / previous bookmark)
Action Plan Ideas - Education • Member / Customer • Content (cont’d) • Sites can be convincingly copied • Report suspicious e-mails & sites • Where to get more advice on phishing • Importance of patching • How to validate site (via cert or seal) • Where to go for ID theft help
Action Plan Ideas – Protection of FI’s Online Identity • Considerations • Review related regulatory issuances, such as: • NCUA LTR 02-CU-16 Protection of CU Internet Addresses* • FFIEC Information Security Booklet* *See IS&T portion of NCUA’s website
Action Plan Ideas – Protection of FI’s Online Identity • Considerations (cont’d) • Keep certificates up-to-date • Practice good domain name controls • Don’t let URLs lapse • Purchase similar URLs • Search for similar URLs
Action Plan Ideas - Response • Notification Considerations • Attorney • Law Enforcement • Bonding Co. • Regulator(s) • Domain host / owner / registrar • Members / Customers
Action Plan Ideas - Response • Notification Considerations (cont’d) • Press • Suspicious Activity Report • Internet Fraud Compliant Center • FTC • Industry Fraud Associations / Groups
Responses & Resource Examples • NCUA (www.ncua.gov) • Specific guidance: • (8/03) LTR 03-CU-12 Fraudulent Newspaper Advertisements, and Websites by Entities Claiming to be Credit Unions • (04/04) LTR 04-CU-05 Fraudulent E-Mail Schemes • (05/04) LTR 04-CU-06 E-Mail & Internet Related Fraudulent Schemes Guidance
Responses & Resource Examples • NCUA (www.ncua.gov) • Related guidance: • (12/02) LTR 02-CU-16 Protection of CU Internet Addresses • (7/02) LTR 02-FCU-11 Tips to Safely Conduct Financial Transactions Over the Internet • (09/01) LTR 01-CU-09 Identity Theft & Pretext Calling • Working with FBI, FFIEC, SSAs, Newspaper Association • Article in NCUA News
Responses & Resource Examples • FDIC (www.fdic.gov) • (03/04) FIL-27-2004 Guidance on Safeguarding Customers Against E-mail & Internet-Related Fraudulent Schemes • OTS (www.ots.gov) • (03/04) Memo – Phishing & E-mail Scams
Responses & Resource Examples • OCC (www.occ.gov) • (09/03) Alert – Customer Identity Theft: E-mail-Related Fraud Threats • FI Trade Associations • Most have issued guidance to FIs and consumers • FI Industry Consortium • Subcommittee addressing issue
Responses & Resource Examples • FFIEC (www.ffiec.gov) • Information Security Booklet • FTC (www.ftc.gov) • (7/03) How Not to Get Hooked by the “Phishing” Scam • (9/02) ID Theft: When Bad Things Happen to Your Good Name • Can report incidents
Responses & Resource Examples • Treasury (www.treas.gov) • (1/04) Statement Warning about Recent Fraudulent E-mail Scams • Dept. of Justice (www.usdoj.gov & www.cybercrime.gov) • (2004) Special Report on “Phishing” • Also includes links to on-line protection & response notifications from various FIs. • FBI (www.fbi.gov & www.ifccfbi.gov) • (7/03) FBI Says Web “Spoofing” Scams are a Growing Problem • Also see Internet Fraud Complaint Center (IFCCBI) for info on reporting incidents
Responses & Resource Examples • Better Business Bureau (www.bbb.org/phishing) • Issuing media alerts through its national and local offices. • www.callforaction.org • International, non-profit network of consumer hotlines and information. Worked with Visa to develop much of its material on ID theft.