computer fraud – “phishing” identity theft in financial services 6/30/04
TRANSCRIPT
Computer Fraud – “Phishing”
Identity Theft in Identity Theft in Financial ServicesFinancial Services 6/30/046/30/04
22
Phishing
“…“…The use of digital media also can lend The use of digital media also can lend fraudulent material an air of credibility. fraudulent material an air of credibility. Someone with a home computer and Someone with a home computer and knowledge of computer graphics can create knowledge of computer graphics can create an attractive, professional-looking Web site, an attractive, professional-looking Web site, rivaling that of a Fortune 500 company…”rivaling that of a Fortune 500 company…”
Arthur LevittArthur Levitt
Former Chairman of the SECFormer Chairman of the SEC
QuotesQuotes
33
Phishing
QuotesQuotes
“…“…The Internet is a perfect medium to The Internet is a perfect medium to locate victims and provide an locate victims and provide an environment where victims do not see environment where victims do not see or speak to the “fraudsters”. Anyone in or speak to the “fraudsters”. Anyone in the privacy of their own home can the privacy of their own home can create a very persuasive vehicle for create a very persuasive vehicle for fraud over the Internet…”fraud over the Internet…”
Louis J. FreehLouis J. Freeh
Former FBI DirectorFormer FBI Director
44
Phishing
Session ObjectivesSession Objectives
1)1) Raise awareness of threats & risks of Raise awareness of threats & risks of phishingphishing
2)2) Outline process to reduce the impact Outline process to reduce the impact of phishingof phishing
This is This is notnot a technical session. a technical session.
55
Phishing
Session OutlineSession Outline
Phishing 101Phishing 101 RisksRisks Trends Trends ExamplesExamples Action Plan IdeasAction Plan Ideas Responses & Resource Examples Responses & Resource Examples SummarySummary
66
Phishing
Phishing 101Phishing 101
InternetInternet
ConnectivityConnectivityAccessAccessAnonymityAnonymityVelocityVelocitySoftware vulnerabilitiesSoftware vulnerabilities
77
Phishing
Phishing 101Phishing 101
Phishing uses e-mail to Phishing uses e-mail to lure recipients to bogus lure recipients to bogus websites designed to websites designed to fool them into divulging fool them into divulging personal data.personal data.
88
Phishing
Phishing 101Phishing 101
E-mailE-mail
Spoofed addressSpoofed addressConvincing Convincing Sense of urgencySense of urgencyEmbedded link (but not always)Embedded link (but not always)
99
Phishing
Phishing 101Phishing 101
WebsiteWebsite
Spoofed/similar addressSpoofed/similar addressSpoofed look/feel Spoofed look/feel Authentication screen/pop-up windowAuthentication screen/pop-up windowPossible redirect to actual websitePossible redirect to actual website
1010
Phishing
Phishing 101Phishing 101
Scam relies on:Scam relies on:
Unrecognized spamUnrecognized spam
% w/ existing relationship% w/ existing relationship
Ease of registering a websiteEase of registering a website
Social engineeringSocial engineering
1111
Phishing
RisksRisks
ConsumerConsumerID TheftID Theft
Open new accountsOpen new accounts
FraudFraudUnauthorized credit card Unauthorized credit card
transactionstransactionsA/C withdrawals A/C withdrawals
1212
Phishing
RisksRisksOrganization ImpersonatedOrganization Impersonated
Reputation RiskReputation RiskImpression of weak securityImpression of weak securityImpression of ignoranceImpression of ignoranceInadequate education programInadequate education programInadequate response programInadequate response programNegative publicityNegative publicity
Strategic RiskStrategic RiskImpact to on-line strategy (i.e. Impact to on-line strategy (i.e. adoption/retention rates)adoption/retention rates)
1313
Phishing
RisksRisks
Organization ImpersonatedOrganization Impersonated
Transaction RiskTransaction RiskFraudulent transactionsFraudulent transactions
Legal RiskLegal RiskPossible litigationPossible litigation
Operational RiskOperational RiskAdded cost to respond/assist Added cost to respond/assist consumersconsumers
1414
Phishing
TrendsTrends
Anti-Phishing Working GroupThe Anti-Phishing Working Group (APWG) is an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing.
APWG Members- Over 400 members- Over 250 companies- 8 of the top 10 US banks- 4 of the top 5 US ISPs- Over 100 technology vendors- Law enforcement from Australia, CA, UK, USA
1515
Phishing
TrendsTrends
Source: Anti-Phishing Working Group Phishing Attach Trends Report s- March 2004 & May 2004
Unique Phishing Attacks
282116 176
402
11251197
0
200
400
600
800
1000
1200
1400
Dec '03 Jan '04 Feb '04 March '04 April '04 May '04
1616
Phishing
Source: Anti-Phishing Working Group Phishing Attach Trends Report - May 2004
TrendsTrends
1717
Phishing
Source: Anti-Phishing Working Group Phishing Archive
Examples (June 2004)Examples (June 2004)
1818
Phishing
Source: Anti-Phishing Working Group Phishing Archive
Examples (June 2004)Examples (June 2004)
1919
Phishing
Source: Anti-Phishing Working Group Phishing Archive
Examples (June 2004)Examples (June 2004)
2020
Phishing
Examples (March 2004)Examples (March 2004)
Source: Anti-Phishing Working Group Phishing Archive
2121
Phishing
Examples (March 2004)Examples (March 2004)
Source: Anti-Phishing Working Group Phishing Archive
2222
Phishing
Examples (March 2004)Examples (March 2004)
Source: Anti-Phishing Working Group Phishing Archive
2323
Phishing
Examples (May 2004)Examples (May 2004)
Source: Anti-Phishing Working Group Phishing Archive
2424
Phishing
Examples (May 2004)Examples (May 2004)
Source: Anti-Phishing Working Group Phishing Archive
2525
Phishing
Examples (May 2004)Examples (May 2004)
Source: Anti-Phishing Working Group Phishing Archive
2626
Phishing
Examples (May 2004)Examples (May 2004)
Source: Anti-Phishing Working Group Phishing Archive
2727
Phishing
Examples (May 2004)Examples (May 2004)
Source: Anti-Phishing Working Group Phishing Archive
2828
Phishing
Examples (May 2004)Examples (May 2004)
Source: Anti-Phishing Working Group Phishing Archive
2929
Phishing
Examples (FYI)Examples (FYI)
Internet Explorer browser exploit allows Internet Explorer browser exploit allows the URL in the web browser to be the URL in the web browser to be “masked”.“masked”.
Users would not know by looking at the Users would not know by looking at the browser window that they were at a browser window that they were at a different site than indicated.different site than indicated.
Patch issued (how many users Patch issued (how many users installed?)installed?)
3030
Phishing
RelatedRelated Examples (July ‘03) Examples (July ‘03)
Twist – newspaper vs. e-mail Twist – newspaper vs. e-mail CU official thought suspicious (service CU official thought suspicious (service
area)area) Site Site www.centurycredit.orgwww.centurycredit.org mirrored mirrored
www.centurycu.orgwww.centurycu.org (NCUA logo too) (NCUA logo too) Collected personal info. & loan app Collected personal info. & loan app
feesfees Toll free #Toll free # Site shut down (GA), but ads persistSite shut down (GA), but ads persist
3131
Phishing
1.1. EducationEducation
2.2. Protect on-line identity of FIProtect on-line identity of FI
3.3. Response PlanResponse Plan
Action Plan IdeasAction Plan Ideas
3232
Phishing
SelfSelf
Review resource sources*Review resource sources*
InstitutionInstitution
Training / Policy DevelopmentTraining / Policy Development
AwarenessAwareness
Handling complaints & reports of Handling complaints & reports of
suspicious e-mails/sites suspicious e-mails/sites
Protect on-line identity of FI*Protect on-line identity of FI*
Response Plan*Response Plan*
Action Plan Ideas - EducationAction Plan Ideas - Education
* More info. on other slides* More info. on other slides
3333
Phishing
Member / CustomerMember / Customer
Communication MethodsCommunication Methods
Internet Banking AgreementsInternet Banking Agreements
Newsletters Newsletters
Statement Stuffers Statement Stuffers
Recordings when on “hold”Recordings when on “hold”
Website Website
• Messages / FAQs / Advisories / Links to Messages / FAQs / Advisories / Links to
outside resources/ Current Fraud linkoutside resources/ Current Fraud link
Action Plan Ideas - EducationAction Plan Ideas - Education
3434
Phishing
Action Plan Ideas - EducationAction Plan Ideas - Education
3535
Phishing
Action Plan Ideas - EducationAction Plan Ideas - Education
3636
Phishing
Action Plan Ideas - EducationAction Plan Ideas - Education
3737
Phishing
Action Plan Ideas - EducationAction Plan Ideas - Education
3838
Phishing
Member / CustomerMember / Customer
ContentContent
We will never ask for xxx via e-mailWe will never ask for xxx via e-mail
We will never alert you of xxx via e-mailWe will never alert you of xxx via e-mail
Always feel free to call us at # on statementAlways feel free to call us at # on statement
Always type in our site URL (see Always type in our site URL (see
statement / newsletter / previous bookmark)statement / newsletter / previous bookmark)
Action Plan Ideas - EducationAction Plan Ideas - Education
3939
Phishing
Member / CustomerMember / Customer
Content (cont’d)Content (cont’d)
Sites can be convincingly copiedSites can be convincingly copied
Report suspicious e-mails & sites Report suspicious e-mails & sites
Where to get more advice on phishingWhere to get more advice on phishing
Importance of patchingImportance of patching
How to validate site (via cert or seal)How to validate site (via cert or seal)
Where to go for ID theft helpWhere to go for ID theft help
Action Plan Ideas - EducationAction Plan Ideas - Education
4040
Phishing
ConsiderationsConsiderations
Review related regulatory issuances, such Review related regulatory issuances, such
as:as:
NCUA LTR 02-CU-16 Protection of CU NCUA LTR 02-CU-16 Protection of CU
Internet Addresses* Internet Addresses*
FFIEC Information Security Booklet*FFIEC Information Security Booklet*
**See IS&T portion of NCUA’s websiteSee IS&T portion of NCUA’s website
Action Plan Ideas – Action Plan Ideas – Protection of FI’s Online IdentityProtection of FI’s Online Identity
4141
Phishing
Considerations (cont’d)Considerations (cont’d)
Keep certificates up-to-dateKeep certificates up-to-date
Practice good domain name controlsPractice good domain name controls
Don’t let URLs lapseDon’t let URLs lapse
Purchase similar URLsPurchase similar URLs
Search for similar URLsSearch for similar URLs
Action Plan Ideas – Action Plan Ideas – Protection of FI’s Online IdentityProtection of FI’s Online Identity
4242
Phishing
Notification ConsiderationsNotification Considerations
AttorneyAttorney
Law EnforcementLaw Enforcement
Bonding Co.Bonding Co.
Regulator(s)Regulator(s)
Domain host / owner / registrarDomain host / owner / registrar
Members / CustomersMembers / Customers
Action Plan Ideas - ResponseAction Plan Ideas - Response
4343
Phishing
Notification Considerations (cont’d)Notification Considerations (cont’d)
PressPress
Suspicious Activity ReportSuspicious Activity Report
Internet Fraud Compliant CenterInternet Fraud Compliant Center
FTCFTC
Industry Fraud Associations / GroupsIndustry Fraud Associations / Groups
Action Plan Ideas - ResponseAction Plan Ideas - Response
4444
Phishing
NCUA NCUA (www.ncua.gov)(www.ncua.gov)
Specific guidance:Specific guidance:
(8/03) LTR 03-CU-12 Fraudulent (8/03) LTR 03-CU-12 Fraudulent Newspaper Advertisements, and Websites Newspaper Advertisements, and Websites by Entities Claiming to be Credit Unionsby Entities Claiming to be Credit Unions
(04/04) LTR 04-CU-05 Fraudulent E-Mail (04/04) LTR 04-CU-05 Fraudulent E-Mail SchemesSchemes
(05/04) LTR 04-CU-06 E-Mail & Internet (05/04) LTR 04-CU-06 E-Mail & Internet Related Fraudulent Schemes GuidanceRelated Fraudulent Schemes Guidance
Responses & Resource ExamplesResponses & Resource Examples
4545
Phishing
NCUA NCUA (www.ncua.gov)(www.ncua.gov)
Related guidance:Related guidance: (12/02) LTR 02-CU-16 Protection of CU (12/02) LTR 02-CU-16 Protection of CU
Internet AddressesInternet Addresses (7/02) LTR 02-FCU-11 Tips to Safely (7/02) LTR 02-FCU-11 Tips to Safely
Conduct Financial Transactions Over Conduct Financial Transactions Over the Internetthe Internet
(09/01) LTR 01-CU-09 Identity Theft & (09/01) LTR 01-CU-09 Identity Theft & Pretext CallingPretext Calling
Working with FBI, FFIEC, SSAs, Working with FBI, FFIEC, SSAs, Newspaper AssociationNewspaper Association
Article in NCUA NewsArticle in NCUA News
Responses & Resource ExamplesResponses & Resource Examples
4646
Phishing
FDIC FDIC (www.fdic.gov)(www.fdic.gov)
(03/04) FIL-27-2004 Guidance on (03/04) FIL-27-2004 Guidance on Safeguarding Customers Against E-Safeguarding Customers Against E-mail & Internet-Related Fraudulent mail & Internet-Related Fraudulent SchemesSchemes
OTS OTS (www.ots.gov)(www.ots.gov)
(03/04) Memo – Phishing & E-mail (03/04) Memo – Phishing & E-mail ScamsScams
Responses & Resource ExamplesResponses & Resource Examples
4747
Phishing
OCC OCC (www.occ.gov)(www.occ.gov)
(09/03) Alert – Customer Identity Theft: E-(09/03) Alert – Customer Identity Theft: E-mail-Related Fraud Threatsmail-Related Fraud Threats
FI Trade AssociationsFI Trade Associations Most have issued guidance to FIs and Most have issued guidance to FIs and
consumersconsumers
FI Industry ConsortiumFI Industry Consortium Subcommittee addressing issueSubcommittee addressing issue
Responses & Resource ExamplesResponses & Resource Examples
4848
Phishing
FFIEC FFIEC (www.ffiec.gov)(www.ffiec.gov) Information Security BookletInformation Security Booklet
FTC FTC (www.ftc.gov)(www.ftc.gov)
(7/03) How Not to Get Hooked by the (7/03) How Not to Get Hooked by the “Phishing” Scam“Phishing” Scam
(9/02) ID Theft: When Bad Things Happen to (9/02) ID Theft: When Bad Things Happen to Your Good NameYour Good Name
Can report incidentsCan report incidents
Responses & Resource ExamplesResponses & Resource Examples
4949
Phishing
Treasury Treasury (www.treas.gov)(www.treas.gov)
(1/04) Statement Warning about Recent (1/04) Statement Warning about Recent Fraudulent E-mail ScamsFraudulent E-mail Scams
Dept. of Justice Dept. of Justice (www.usdoj.gov & (www.usdoj.gov & www.cybercrime.gov)www.cybercrime.gov)
(2004) Special Report on “Phishing”(2004) Special Report on “Phishing”• Also includes links to on-line protection & Also includes links to on-line protection &
response notifications from various FIs.response notifications from various FIs.
FBI FBI (www.fbi.gov & www.ifccfbi.gov)(www.fbi.gov & www.ifccfbi.gov)
(7/03) FBI Says Web “Spoofing” Scams are a (7/03) FBI Says Web “Spoofing” Scams are a Growing ProblemGrowing Problem
Also see Internet Fraud Complaint Center Also see Internet Fraud Complaint Center (IFCCBI) for info on reporting incidents(IFCCBI) for info on reporting incidents
Responses & Resource ExamplesResponses & Resource Examples
5050
Phishing
Better Business Bureau Better Business Bureau (www.bbb.org/phishing)(www.bbb.org/phishing)
Issuing media alerts through its national and local Issuing media alerts through its national and local offices.offices.
www.callforaction.orgwww.callforaction.org International, non-profit network of consumer International, non-profit network of consumer
hotlines and information. Worked with Visa to hotlines and information. Worked with Visa to develop much of its material on ID theft.develop much of its material on ID theft.
Responses & Resource ExamplesResponses & Resource Examples
5151
Phishing
Anti-Phishing Working GroupAnti-Phishing Working Group(www.antiphising.org)(www.antiphising.org)
Industry association w/comprehensive resources Industry association w/comprehensive resources (i.e. phishing archive, reporting, consumer (i.e. phishing archive, reporting, consumer guidance, resource links/papers, special reports, guidance, resource links/papers, special reports, links to FIs/other orgs with anti-phishing consumer links to FIs/other orgs with anti-phishing consumer guidance on their websites, etc.)guidance on their websites, etc.)
Information Technology Association Information Technology Association of America of America (www.itaa.org)(www.itaa.org)
Coalition (includes to MS, Amazon, eBay) to curb Coalition (includes to MS, Amazon, eBay) to curb ID theftID theft
Responses & Resource ExamplesResponses & Resource Examples
5252
Phishing
Trusted Electronic Trusted Electronic Communications ForumCommunications Forum
(www.tecf.org)(www.tecf.org)
New standards and research effort to focus New standards and research effort to focus on establishing new standards for on establishing new standards for protecting consumers and teach end users protecting consumers and teach end users how to better protect themselves. how to better protect themselves.
Several well-known financial services Several well-known financial services organizations represented.organizations represented.
Responses & Resource ExamplesResponses & Resource Examples
5353
Phishing
Spam, social engineering, urgencySpam, social engineering, urgency Increasing # of eventsIncreasing # of events FIs targetedFIs targeted Variations appearingVariations appearing Risk to FIs and consumersRisk to FIs and consumers Proactive action neededProactive action needed
SummarySummary
5454
Phishing
QuotesQuotes
““Bogus e-mails that try to trick customers Bogus e-mails that try to trick customers into giving out personal information are into giving out personal information are the hottest, and most troubling, new the hottest, and most troubling, new scam on the Internet.”scam on the Internet.”
Jana MonroeJana Monroe
Assistant DirectorAssistant Director
Cyber Division of FBICyber Division of FBI