Computer Fraud – “Phishing”
Identity Theft in Financial Services
6/30/04
�Quotes
Phishing
“…The use of digital media also can lend fraudulent material an air of credibility. Someone with a home computer and knowledge of computer graphics can create an attractive, professionallooking Web site, rivaling that of a Fortune 500 company…” Arthur Levitt Former Chairman of the SEC
2
�Quotes
Phishing
“…The Internet is a perfect medium to locate victims and provide an environment where victims do not see or speak to the “fraudsters”. Anyone in the privacy of their own home can create a very persuasive vehicle for fraud over the Internet…” Louis J. Freeh Former FBI Director
3
�Session Objectives
Phishing
1)
Raise awareness of threats & risks of phishing Outline process to reduce the impact of phishing
2)
This is not a technical session.
4
�Session Outline
Phishing
Phishing 101 Risks Trends Examples Action Plan Ideas Responses & Resource Examples Summary
5
�Phishing 101
Phishing
Internet
Connectivity Access Anonymity Velocity Software
vulnerabilities
6
�Phishing 101
Phishing
Phishing uses e-mail to lure recipients to bogus websites designed to fool them into divulging personal data.
7
�Phishing 101
Phishing
E-mail address Convincing Sense of urgency Embedded link (but not always)
Spoofed
8
�Phishing 101
Phishing
Website
address Spoofed look/feel Authentication screen/pop-up window Possible redirect to actual website
Spoofed/similar
9
�Phishing 101
Phishing
Scam relies on:
Unrecognized %
spam
w/ existing relationship of registering a website engineering
Ease
Social
10
�Risks
Phishing
Consumer ID Theft Open new accounts
Fraud
Unauthorized
credit card
transactions A/C withdrawals
11
�Risks
Phishing
Organization Impersonated Reputation Risk Impression of weak security Impression of ignorance Inadequate education program Inadequate response program Negative publicity Strategic Risk Impact to on-line strategy (i.e. adoption/retention rates)
12
�Risks
Phishing
Organization Impersonated Transaction Risk Fraudulent transactions
Legal Risk Possible litigation
Operational Risk Added cost to respond/assist consumers
13
�Trends
Phishing
Anti-Phishing Working Group The Anti-Phishing Working Group (APWG) is an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing. APWG Members - Over 400 members - Over 250 companies - 8 of the top 10 US banks - 4 of the top 5 US ISPs - Over 100 technology vendors - Law enforcement from Australia, CA, UK, USA
14
�Trends
Phishing
Unique Phishing Attacks
1400 1200 1000 800 600 400 200 0 Dec '03 Jan '04 Feb '04 March '04 April '04 May '04 116 176 402 282 1125 1197
Source: Anti-Phishing Working Group Phishing Attach Trends Report s- March 2004 & May 2004
15
�Trends
Phishing
Source: Anti-Phishing Working Group Phishing Attach Trends Report - May 2004
16
�Examples (June 2004)
Phishing
Source: Anti-Phishing Working Group Phishing Archive
17
�Examples (June 2004)
Phishing
Source: Anti-Phishing Working Group Phishing Archive
18
�Examples (June 2004)
Phishing
Source: Anti-Phishing Working Group Phishing Archive
19
�Examples (March 2004)
Phishing
Source: Anti-Phishing Working Group Phishing Archive
20
�Examples (March 2004)
Phishing
Source: Anti-Phishing Working Group Phishing Archive
21
�Examples (March 2004)
Phishing
Source: Anti-Phishing Working Group Phishing Archive
22
�Examples (May 2004)
Phishing
Source: Anti-Phishing Working Group Phishing Archive
23
�Examples (May 2004)
Phishing
Source: Anti-Phishing Working Group Phishing Archive
24
�Examples (May 2004)
Phishing
Source: Anti-Phishing Working Group Phishing Archive
25
�Examples (May 2004)
Phishing
Source: Anti-Phishing Working Group Phishing Archive
26
�Examples (May 2004)
Phishing
Source: Anti-Phishing Working Group Phishing Archive
27
�Examples (May 2004)
Phishing
Source: Anti-Phishing Working Group Phishing Archive
28
�Examples (FYI)
Phishing
Internet Explorer browser exploit allows the URL in the web browser to be “masked”.
Users would not know by looking at the browser window that they were at a different site than indicated. Patch issued (how many users installed?)
29
�Related Examples (July „03)
Phishing
Twist – newspaper vs. e-mail CU official thought suspicious (service area) Site www.centurycredit.org mirrored www.centurycu.org (NCUA logo too) Collected personal info. & loan app fees Toll free # Site shut down (GA), but ads persist
30
�Action Plan Ideas
Phishing
1. Education 2. Protect on-line identity of FI 3. Response Plan
31
�Action Plan Ideas - Education
Phishing
Self
Review resource sources*
Institution
Training / Policy Development
Awareness Handling complaints & reports of suspicious e-mails/sites
Protect on-line identity of FI* Response Plan*
* More info. on other slides
32
�Action Plan Ideas - Education
Phishing
Member / Customer
Communication Methods
Internet Banking Agreements Newsletters
Statement Stuffers
Recordings when on “hold” Website
•
Messages / FAQs / Advisories / Links to outside resources/ Current Fraud link
33
�Action Plan Ideas - Education
Phishing
34
�Action Plan Ideas - Education
Phishing
35
�Action Plan Ideas - Education
Phishing
36
�Action Plan Ideas - Education
Phishing
37
�Action Plan Ideas - Education
Phishing
Member / Customer
Content
We will never ask for xxx via e-mail We will never alert you of xxx via e-mail Always feel free to call us at # on statement
Always type in our site URL (see statement
/ newsletter / previous bookmark)
38
�Action Plan Ideas - Education
Phishing
Member / Customer
Content (cont‟d)
Sites can be convincingly copied Report suspicious e-mails & sites
Where to get more advice on phishing
Importance of patching
How to validate site (via cert or seal)
Where to go for ID theft help
39
�Phishing
Action Plan Ideas – Protection of FI‟s Online Identity
Considerations
Review related regulatory issuances, such as:
NCUA LTR 02-CU-16 Protection of CU Internet Addresses*
FFIEC Information Security Booklet*
*See IS&T portion of NCUA’s website
40
�Phishing
Action Plan Ideas – Protection of FI‟s Online Identity
Considerations (cont’d)
Keep certificates up-to-date
Practice good domain name controls
Don‟t let URLs lapse
Purchase similar URLs
Search for similar URLs
41
�Action Plan Ideas - Response
Phishing
Notification Considerations
Attorney
Law Enforcement
Bonding Co. Regulator(s) Domain host / owner / registrar Members / Customers
42
�Action Plan Ideas - Response
Phishing
Notification Considerations (cont’d)
Press Suspicious Activity Report Internet Fraud Compliant Center FTC Industry Fraud Associations / Groups
43
�Responses & Resource Examples
Phishing
NCUA (www.ncua.gov)
Specific guidance:
(8/03)
LTR 03-CU-12 Fraudulent Newspaper Advertisements, and Websites by Entities Claiming to be Credit Unions LTR 04-CU-05 Fraudulent E-Mail Schemes
LTR 04-CU-06 E-Mail & Internet Related Fraudulent Schemes Guidance
44
(04/04)
(05/04)
�Responses & Resource Examples
Phishing
NCUA (www.ncua.gov)
Related guidance: (12/02) LTR 02-CU-16 Protection of CU Internet Addresses (7/02) LTR 02-FCU-11 Tips to Safely Conduct Financial Transactions Over the Internet (09/01) LTR 01-CU-09 Identity Theft & Pretext Calling Working with FBI, FFIEC, SSAs, Newspaper Association Article in NCUA News
45
�Responses & Resource Examples
Phishing
FDIC (www.fdic.gov)
(03/04) FIL-27-2004 Guidance on Safeguarding Customers Against Email & Internet-Related Fraudulent Schemes
OTS (www.ots.gov)
(03/04) Memo – Phishing & E-mail Scams
46
�Responses & Resource Examples
Phishing
OCC (www.occ.gov)
(09/03) Alert – Customer Identity Theft: Email-Related Fraud Threats
FI Trade Associations
Most have issued guidance to FIs and consumers Subcommittee addressing issue
47
FI Industry Consortium
�Responses & Resource Examples
Phishing
FFIEC (www.ffiec.gov)
Information Security Booklet
FTC (www.ftc.gov)
(7/03) How Not to Get Hooked by the “Phishing” Scam (9/02) ID Theft: When Bad Things Happen to Your Good Name Can report incidents
48
�Responses & Resource Examples
Phishing
Treasury (www.treas.gov)
(1/04) Statement Warning about Recent Fraudulent E-mail Scams
www.cybercrime.gov)
Dept. of Justice (www.usdoj.gov &
(2004) Special Report on “Phishing” • Also includes links to on-line protection & response notifications from various FIs.
FBI (www.fbi.gov & www.ifccfbi.gov)
(7/03) FBI Says Web “Spoofing” Scams are a Growing Problem Also see Internet Fraud Complaint Center (IFCCBI) for info on reporting incidents
49
�Responses & Resource Examples
Phishing
Better Business Bureau
(www.bbb.org/phishing)
Issuing media alerts through its national and local
offices.
www.callforaction.org
International, non-profit network of consumer hotlines and information. Worked with Visa to develop much of its material on ID theft.
50
�Responses & Resource Examples
Phishing
Anti-Phishing Working Group
(www.antiphising.org)
Industry association w/comprehensive resources (i.e. phishing archive, reporting, consumer guidance, resource links/papers, special reports, links to FIs/other orgs with anti-phishing consumer guidance on their websites, etc.)
Information Technology Association of America (www.itaa.org)
Coalition (includes to MS, Amazon, eBay) to curb ID theft
51
�Responses & Resource Examples
Phishing
Trusted Electronic Communications Forum
(www.tecf.org)
New standards and research effort to focus on establishing new standards for protecting consumers and teach end users how to better protect themselves. Several well-known financial services organizations represented.
52
�Summary
Phishing
Spam, social engineering, urgency Increasing # of events FIs targeted Variations appearing Risk to FIs and consumers Proactive action needed
53
�Quotes
Phishing
“Bogus e-mails that try to trick customers into giving out personal information are the hottest, and most troubling, new scam on the Internet.” Jana Monroe Assistant Director Cyber Division of FBI
54
�