Computer Fraud – “Phishing” Identity Theft in Financial Services 6/30/04.

Computer Fraud – “Phishing”

Identity Theft in Identity Theft in Financial ServicesFinancial Services 6/30/046/30/04

22

Phishing

“…“…The use of digital media also can lend The use of digital media also can lend fraudulent material an air of credibility. fraudulent material an air of credibility. Someone with a home computer and Someone with a home computer and knowledge of computer graphics can create knowledge of computer graphics can create an attractive, professional-looking Web site, an attractive, professional-looking Web site, rivaling that of a Fortune 500 company…”rivaling that of a Fortune 500 company…”

Arthur LevittArthur Levitt

Former Chairman of the SECFormer Chairman of the SEC

QuotesQuotes

33

Phishing

QuotesQuotes

“…“…The Internet is a perfect medium to The Internet is a perfect medium to locate victims and provide an locate victims and provide an environment where victims do not see environment where victims do not see or speak to the “fraudsters”. Anyone in or speak to the “fraudsters”. Anyone in the privacy of their own home can the privacy of their own home can create a very persuasive vehicle for create a very persuasive vehicle for fraud over the Internet…”fraud over the Internet…”

Louis J. FreehLouis J. Freeh

Former FBI DirectorFormer FBI Director

44

Phishing

Session ObjectivesSession Objectives

1)1) Raise awareness of threats & risks of Raise awareness of threats & risks of phishingphishing

2)2) Outline process to reduce the impact Outline process to reduce the impact of phishingof phishing

This is This is notnot a technical session. a technical session.

55

Phishing

Session OutlineSession Outline

Phishing 101Phishing 101 RisksRisks Trends Trends ExamplesExamples Action Plan IdeasAction Plan Ideas Responses & Resource Examples Responses & Resource Examples SummarySummary

66

Phishing

Phishing 101Phishing 101

InternetInternet

ConnectivityConnectivityAccessAccessAnonymityAnonymityVelocityVelocitySoftware vulnerabilitiesSoftware vulnerabilities

77

Phishing


Phishing uses e-mail to Phishing uses e-mail to lure recipients to bogus lure recipients to bogus websites designed to websites designed to fool them into divulging fool them into divulging personal data.personal data.

88

Phishing


E-mailE-mail

Spoofed addressSpoofed addressConvincing Convincing Sense of urgencySense of urgencyEmbedded link (but not always)Embedded link (but not always)

99

Phishing


WebsiteWebsite

Spoofed/similar addressSpoofed/similar addressSpoofed look/feel Spoofed look/feel Authentication screen/pop-up windowAuthentication screen/pop-up windowPossible redirect to actual websitePossible redirect to actual website

1010

Phishing


Scam relies on:Scam relies on:

Unrecognized spamUnrecognized spam

% w/ existing relationship% w/ existing relationship

Ease of registering a websiteEase of registering a website

Social engineeringSocial engineering

1111

Phishing

RisksRisks

ConsumerConsumerID TheftID Theft

Open new accountsOpen new accounts

FraudFraudUnauthorized credit card Unauthorized credit card

transactionstransactionsA/C withdrawals A/C withdrawals

1212

Phishing

RisksRisksOrganization ImpersonatedOrganization Impersonated

Reputation RiskReputation RiskImpression of weak securityImpression of weak securityImpression of ignoranceImpression of ignoranceInadequate education programInadequate education programInadequate response programInadequate response programNegative publicityNegative publicity

Strategic RiskStrategic RiskImpact to on-line strategy (i.e. Impact to on-line strategy (i.e. adoption/retention rates)adoption/retention rates)

1313

Phishing

RisksRisks

Organization ImpersonatedOrganization Impersonated

Transaction RiskTransaction RiskFraudulent transactionsFraudulent transactions

Legal RiskLegal RiskPossible litigationPossible litigation

Operational RiskOperational RiskAdded cost to respond/assist Added cost to respond/assist consumersconsumers

1414

Phishing

TrendsTrends

Anti-Phishing Working GroupThe Anti-Phishing Working Group (APWG) is an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing.

APWG Members- Over 400 members- Over 250 companies- 8 of the top 10 US banks- 4 of the top 5 US ISPs- Over 100 technology vendors- Law enforcement from Australia, CA, UK, USA

1515

Phishing

TrendsTrends

Source: Anti-Phishing Working Group Phishing Attach Trends Report s- March 2004 & May 2004

Unique Phishing Attacks

282116 176

402

11251197

0

200

400

600

800

1000

1200

1400

Dec '03 Jan '04 Feb '04 March '04 April '04 May '04

1616

Phishing

Source: Anti-Phishing Working Group Phishing Attach Trends Report - May 2004

TrendsTrends

1717

Phishing

Source: Anti-Phishing Working Group Phishing Archive

Examples (June 2004)Examples (June 2004)

1818

Phishing



1919

Phishing



2020

Phishing

Examples (March 2004)Examples (March 2004)


2121

Phishing



2222

Phishing



2323

Phishing

Examples (May 2004)Examples (May 2004)


2424

Phishing



2525

Phishing



2626

Phishing



2727

Phishing



2828

Phishing



2929

Phishing

Examples (FYI)Examples (FYI)

Internet Explorer browser exploit allows Internet Explorer browser exploit allows the URL in the web browser to be the URL in the web browser to be “masked”.“masked”.

Users would not know by looking at the Users would not know by looking at the browser window that they were at a browser window that they were at a different site than indicated.different site than indicated.

Patch issued (how many users Patch issued (how many users installed?)installed?)

3030

Phishing

RelatedRelated Examples (July ‘03) Examples (July ‘03)

Twist – newspaper vs. e-mail Twist – newspaper vs. e-mail CU official thought suspicious (service CU official thought suspicious (service

area)area) Site Site www.centurycredit.orgwww.centurycredit.org mirrored mirrored

www.centurycu.orgwww.centurycu.org (NCUA logo too) (NCUA logo too) Collected personal info. & loan app Collected personal info. & loan app

feesfees Toll free #Toll free # Site shut down (GA), but ads persistSite shut down (GA), but ads persist

3131

Phishing

1.1. EducationEducation

2.2. Protect on-line identity of FIProtect on-line identity of FI

3.3. Response PlanResponse Plan

Action Plan IdeasAction Plan Ideas

3232

Phishing

SelfSelf

Review resource sources*Review resource sources*

InstitutionInstitution

Training / Policy DevelopmentTraining / Policy Development

AwarenessAwareness

Handling complaints & reports of Handling complaints & reports of

suspicious e-mails/sites suspicious e-mails/sites

Protect on-line identity of FI*Protect on-line identity of FI*

Response Plan*Response Plan*

Action Plan Ideas - EducationAction Plan Ideas - Education

* More info. on other slides* More info. on other slides

3333

Phishing

Member / CustomerMember / Customer

Communication MethodsCommunication Methods

Internet Banking AgreementsInternet Banking Agreements

Newsletters Newsletters

Statement Stuffers Statement Stuffers

Recordings when on “hold”Recordings when on “hold”

Website Website

• Messages / FAQs / Advisories / Links to Messages / FAQs / Advisories / Links to

outside resources/ Current Fraud linkoutside resources/ Current Fraud link


3434

Phishing


3535

Phishing


3636

Phishing


3737

Phishing


3838

Phishing


ContentContent

We will never ask for xxx via e-mailWe will never ask for xxx via e-mail

We will never alert you of xxx via e-mailWe will never alert you of xxx via e-mail

Always feel free to call us at # on statementAlways feel free to call us at # on statement

Always type in our site URL (see Always type in our site URL (see

statement / newsletter / previous bookmark)statement / newsletter / previous bookmark)


3939

Phishing


Content (cont’d)Content (cont’d)

Sites can be convincingly copiedSites can be convincingly copied

Report suspicious e-mails & sites Report suspicious e-mails & sites

Where to get more advice on phishingWhere to get more advice on phishing

Importance of patchingImportance of patching

How to validate site (via cert or seal)How to validate site (via cert or seal)

Where to go for ID theft helpWhere to go for ID theft help


4040

Phishing

ConsiderationsConsiderations

Review related regulatory issuances, such Review related regulatory issuances, such

as:as:

NCUA LTR 02-CU-16 Protection of CU NCUA LTR 02-CU-16 Protection of CU

Internet Addresses* Internet Addresses*

FFIEC Information Security Booklet*FFIEC Information Security Booklet*

**See IS&T portion of NCUA’s websiteSee IS&T portion of NCUA’s website

Action Plan Ideas – Action Plan Ideas – Protection of FI’s Online IdentityProtection of FI’s Online Identity

4141

Phishing

Considerations (cont’d)Considerations (cont’d)

Keep certificates up-to-dateKeep certificates up-to-date

Practice good domain name controlsPractice good domain name controls

Don’t let URLs lapseDon’t let URLs lapse

Purchase similar URLsPurchase similar URLs

Search for similar URLsSearch for similar URLs

Action Plan Ideas – Action Plan Ideas – Protection of FI’s Online IdentityProtection of FI’s Online Identity

4242

Phishing

Notification ConsiderationsNotification Considerations

AttorneyAttorney

Law EnforcementLaw Enforcement

Bonding Co.Bonding Co.

Regulator(s)Regulator(s)

Domain host / owner / registrarDomain host / owner / registrar

Members / CustomersMembers / Customers

Action Plan Ideas - ResponseAction Plan Ideas - Response

4343

Phishing

Notification Considerations (cont’d)Notification Considerations (cont’d)

PressPress

Suspicious Activity ReportSuspicious Activity Report

Internet Fraud Compliant CenterInternet Fraud Compliant Center

FTCFTC

Industry Fraud Associations / GroupsIndustry Fraud Associations / Groups

Action Plan Ideas - ResponseAction Plan Ideas - Response

4444

Phishing

NCUA NCUA (www.ncua.gov)(www.ncua.gov)

Specific guidance:Specific guidance:

(8/03) LTR 03-CU-12 Fraudulent (8/03) LTR 03-CU-12 Fraudulent Newspaper Advertisements, and Websites Newspaper Advertisements, and Websites by Entities Claiming to be Credit Unionsby Entities Claiming to be Credit Unions

(04/04) LTR 04-CU-05 Fraudulent E-Mail (04/04) LTR 04-CU-05 Fraudulent E-Mail SchemesSchemes

(05/04) LTR 04-CU-06 E-Mail & Internet (05/04) LTR 04-CU-06 E-Mail & Internet Related Fraudulent Schemes GuidanceRelated Fraudulent Schemes Guidance

Responses & Resource ExamplesResponses & Resource Examples

4545

Phishing

NCUA NCUA (www.ncua.gov)(www.ncua.gov)

Related guidance:Related guidance: (12/02) LTR 02-CU-16 Protection of CU (12/02) LTR 02-CU-16 Protection of CU

Internet AddressesInternet Addresses (7/02) LTR 02-FCU-11 Tips to Safely (7/02) LTR 02-FCU-11 Tips to Safely

Conduct Financial Transactions Over Conduct Financial Transactions Over the Internetthe Internet

(09/01) LTR 01-CU-09 Identity Theft & (09/01) LTR 01-CU-09 Identity Theft & Pretext CallingPretext Calling

Working with FBI, FFIEC, SSAs, Working with FBI, FFIEC, SSAs, Newspaper AssociationNewspaper Association

Article in NCUA NewsArticle in NCUA News


4646

Phishing

FDIC FDIC (www.fdic.gov)(www.fdic.gov)

(03/04) FIL-27-2004 Guidance on (03/04) FIL-27-2004 Guidance on Safeguarding Customers Against E-Safeguarding Customers Against E-mail & Internet-Related Fraudulent mail & Internet-Related Fraudulent SchemesSchemes

OTS OTS (www.ots.gov)(www.ots.gov)

(03/04) Memo – Phishing & E-mail (03/04) Memo – Phishing & E-mail ScamsScams


4747

Phishing

OCC OCC (www.occ.gov)(www.occ.gov)

(09/03) Alert – Customer Identity Theft: E-(09/03) Alert – Customer Identity Theft: E-mail-Related Fraud Threatsmail-Related Fraud Threats

FI Trade AssociationsFI Trade Associations Most have issued guidance to FIs and Most have issued guidance to FIs and

consumersconsumers

FI Industry ConsortiumFI Industry Consortium Subcommittee addressing issueSubcommittee addressing issue


4848

Phishing

FFIEC FFIEC (www.ffiec.gov)(www.ffiec.gov) Information Security BookletInformation Security Booklet

FTC FTC (www.ftc.gov)(www.ftc.gov)

(7/03) How Not to Get Hooked by the (7/03) How Not to Get Hooked by the “Phishing” Scam“Phishing” Scam

(9/02) ID Theft: When Bad Things Happen to (9/02) ID Theft: When Bad Things Happen to Your Good NameYour Good Name

Can report incidentsCan report incidents


4949

Phishing

Treasury Treasury (www.treas.gov)(www.treas.gov)

(1/04) Statement Warning about Recent (1/04) Statement Warning about Recent Fraudulent E-mail ScamsFraudulent E-mail Scams

Dept. of Justice Dept. of Justice (www.usdoj.gov & (www.usdoj.gov & www.cybercrime.gov)www.cybercrime.gov)

(2004) Special Report on “Phishing”(2004) Special Report on “Phishing”• Also includes links to on-line protection & Also includes links to on-line protection &

response notifications from various FIs.response notifications from various FIs.

FBI FBI (www.fbi.gov & www.ifccfbi.gov)(www.fbi.gov & www.ifccfbi.gov)

(7/03) FBI Says Web “Spoofing” Scams are a (7/03) FBI Says Web “Spoofing” Scams are a Growing ProblemGrowing Problem

Also see Internet Fraud Complaint Center Also see Internet Fraud Complaint Center (IFCCBI) for info on reporting incidents(IFCCBI) for info on reporting incidents


5050

Phishing

Better Business Bureau Better Business Bureau (www.bbb.org/phishing)(www.bbb.org/phishing)

Issuing media alerts through its national and local Issuing media alerts through its national and local offices.offices.

www.callforaction.orgwww.callforaction.org International, non-profit network of consumer International, non-profit network of consumer

hotlines and information. Worked with Visa to hotlines and information. Worked with Visa to develop much of its material on ID theft.develop much of its material on ID theft.


5151

Phishing

Anti-Phishing Working GroupAnti-Phishing Working Group(www.antiphising.org)(www.antiphising.org)

Industry association w/comprehensive resources Industry association w/comprehensive resources (i.e. phishing archive, reporting, consumer (i.e. phishing archive, reporting, consumer guidance, resource links/papers, special reports, guidance, resource links/papers, special reports, links to FIs/other orgs with anti-phishing consumer links to FIs/other orgs with anti-phishing consumer guidance on their websites, etc.)guidance on their websites, etc.)

Information Technology Association Information Technology Association of America of America (www.itaa.org)(www.itaa.org)

Coalition (includes to MS, Amazon, eBay) to curb Coalition (includes to MS, Amazon, eBay) to curb ID theftID theft


5252

Phishing

Trusted Electronic Trusted Electronic Communications ForumCommunications Forum

(www.tecf.org)(www.tecf.org)

New standards and research effort to focus New standards and research effort to focus on establishing new standards for on establishing new standards for protecting consumers and teach end users protecting consumers and teach end users how to better protect themselves. how to better protect themselves.

Several well-known financial services Several well-known financial services organizations represented.organizations represented.


5353

Phishing

Spam, social engineering, urgencySpam, social engineering, urgency Increasing # of eventsIncreasing # of events FIs targetedFIs targeted Variations appearingVariations appearing Risk to FIs and consumersRisk to FIs and consumers Proactive action neededProactive action needed

SummarySummary

5454

Phishing

QuotesQuotes

““Bogus e-mails that try to trick customers Bogus e-mails that try to trick customers into giving out personal information are into giving out personal information are the hottest, and most troubling, new the hottest, and most troubling, new scam on the Internet.”scam on the Internet.”

Jana MonroeJana Monroe

Assistant DirectorAssistant Director

Cyber Division of FBICyber Division of FBI

Computer Fraud – “Phishing” Identity Theft in Financial Services 6/30/04.

Documents

impact of phishing

trends antiphishing

session outline phishing

growing problem of phishing

usa slide

fbi director slide

actual website slide

sec quotes slide