Customer Identity Theft: E-Mail-Related Fraud Threats
TO: Chief Executive Officers and Chief Information Technology Officers of National Financial Institutions, Federal Branches, Service Providers, Department and Division Heads, and Examining Personnel
This alert is intended to raise awareness of an increasingly common Internet fraud called â€œphishingâ€ and encourages financial institutions to educate their customers, strengthen monitoring systems, and enhance response programs to reduce the potential risk to their organizations and customers.
The FBI's Internet Fraud Complaint Center (IFCC) reports a steady increase in complaints involving unsolicited e-mails directing consumers to a phony "customer service" Web site or directly asking for customer information. These scams are contributing to a rise in identity theft, credit card fraud, and other Internet-based frauds. E-commerce customers, including financial institution customers, have fallen victim to these scams.
Phishing involves sending customers a seemingly legitimate e-mail request for account information, often under the guise of asking the customer to verify or reconfirm confidential personal information such as account numbers, social security numbers, passwords, and other sensitive information. In the e-mail, the perpetrator uses various means to convince customers that they are receiving a legitimate message from someone whom the customer may already be doing business with, such as a financial institution. Techniques such as a false â€œfromâ€ address or the use of seemingly legitimate logos, Web links, and graphics may be employed to mislead the customer. After gaining the customerâ€™s trust, the perpetrator attempts to convince the customer to provide personal information and provides one or more methods for the customer to communicate that information back. For example, the e-mail might include a link to the perpetratorâ€™s Web site that contains a form for entering personal information. Like the e-mail, the Web site is designed to trick the customer into believing it belongs to the institution. Alternatively, the e-mail might simply include an embedded form for the customer to complete. The ultimate goal of this fraud is to use the customer information to gain unauthorized access to a customerâ€™s financial accounts or to engage in other illegal acts.
RISK MITIGATION FOR E-MAIL-RELATED FRAUDS
Financial institutions should implement appropriate controls consistent with the security process described in the Federal Financial Institutions Examination Councilâ€™s (FFIEC) â€œInformation Security Booklet.â€ Management should consider the following actions to help prevent, detect, and respond to the threat from e-mail-related frauds:
â€¢Provide notices on Web sites reminding customers that the institution will never request confidential information through e-mail and to report any such requests to the institution.
â€¢Print warnings and notices on customer statements or other paper mailings.
â€¢Improve authentication methods and procedures to protect against the risk of user ID and password theft from the customer through e-mail and other frauds. Authentication methods solely reliant on shared secrets (e.g., passwords) are more susceptible to phishing schemes than stronger authentication methods.
â€¢Review and, if necessary, enhance practices for protecting confidential customer data.
â€¢Maintain current Web site certificates and describe how the customer can authenticate the institutionâ€™s Web pages by checking the properties on a secure Web page.
â€¢Refer customers to or use Federal Trade Commission (FTC) resources to develop educational brochures to explain the red flags and risks of identity theft.
â€“FTC, â€œHow Not to Get Hooked by the â€˜Phishingâ€™ Scam,â€ July 2003
â€“FTC, â€œID Theft: When Bad Things Happen to Your Good Name,â€ September 2002 http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
â€¢Monitor accounts individually or in aggregate for unusual account activity such as address or phone number changes, large or a high volume of transfers, and unusual customer service requests.
â€¢Monitor for fraudulent Web sites using variations of the institutionâ€™s name.
â€¢Establish a toll-free number for customers to verify requests for confidential information or to report suspicious e-mails.
â€¢Train customer service staff to refer customer concerns regarding suspicious e-mail request activity to security staff.
â€¢Incorporate notification of known e-mail-related frauds into the response program to alert customers of fraudulent requests for information and to caution them against responding.
â€¢Establish a process to notify Internet service providers, domain name issuing companies, and law enforcement to shut down fraudulent Web sites and other Internet resources that are being used to facilitate phishing or other fraudulent e-mail practices.
â€¢Increase suspicious activity monitoring and employ additional identity verification controls.
â€¢If fraud is detected in connection with customer accounts, the institution should report the fraud and consider offering its customers assistance consistent with the comprehensive guidance on reporting and customer assistance given in OCC Advisory Letter 2001-4, â€œIdentity Theft and Pretext Calling.â€
In the event your institution is a victim of an e-mail-related scam, you should promptly notify your OCC supervisory office. As appropriate, you should also report the event to law enforcement by filing a Suspicious Activity Report.
Questions regarding this alert should be directed to Clifford A. Wilke, director for Bank Technology Policy at (202) 874-5920 or email@example.com.