Taking a stand
Whenone U.S. bank realized it was becoming a target of phishing scams, it knew it had to get proactive about addressing the problem. Early phishing attacks had been amateurish and obviously fake, but it wasn’t long before the fraudulent email and websites were becoming increasingly sophisticated and authentic looking. It was evident that these more advanced attacks would increase the risk of customers providing sensitive information to potential fraudsters. This would cause considerable damage in terms of fraud-related losses – not to mention the damage to the banks’ reputation and credibility as a secure service provider.
The inevitable happened when the bank was alerted by a customer who had received a suspicious email asking for their account information and other personal data. The fallout of this incident created a number of headaches for the management team. For example:
- The first event opened the doors to other phishing attacks – up to a dozen times a day
- A phishing tool kit instructing others how to attack the site was launched into the phishing community which further escalated the attacks
- The incidence of ATM cards and PIN numbers theft grew exponentially
- Extra staffing was required at call centers to handle the barrage of customers calls
- Investigations were launched to find out which accounts were compromised
- Customers had to be notified if their account was compromised
- Authentication procedures had to be changed for all ATMs on the network
- Outreach efforts were needed to educate customers on identity theft
Having learned a hard lesson, the bank decided to work with BD-BrandProtect to develop a comprehensive anti-phishing strategy that would not only seek out fraudsters, but also provide the tools and processes to shut them down before they could do any damage.
Catching a phish
Detecting a phishing attack is not an easy task and often beyond the scope of in-house resources. The first step is establishing a formalized process that can discover attacks quickly and then immediately take the necessary steps to shut them down before they cause any damage.
A key component of an anti-phishing strategy is managing third-party services, since there are an unlimited number of domain names, websites and email addresses that are specifically created to attract phishing victims.
An anti-phishing strategy is specifically focused on reducing the time between a phishing e-mail going out and the fraudulent website collecting information. Without an anti-phishing process in place, a bogus site may stay up for days or even weeks. What makes it harder to track is the fact that more sophisticated phishers will change their IP addresses every few minutes to avoid detection.
A good takedown process by dedicated services can reduce that window of opportunity for phishers to a matter of hours. However, it is a complex operation that often involves liaising with website owners, domain name registrars, Web-hosting companies and network providers around the world.
(Continue) |
 |
For financial services companies, few things are as potentially damaging as phishing - the fraudulent collection of personal customer information. Phishing undermines consumer confidence in a brand, puts customers at great risk of identity theft and costs the financial industry billions of dollars each year.
Gartner Group estimates that theft through phishing activities costs U.S. banks and credit card issuers an estimated $2.8 billion annually. As phishing attacks continue to escalate, financial institutions find themselves constantly battling to find better ways to track the attacks and mitigate the potential damage. For one major North American bank, a major phishing attack alerted management to a need to take a more proactive approach to protecting their business and their customers. They found the answer to their phishing woes with services from BD-BrandProtect. |
