Anti-Phishing Blog

Your Check is In the Mail

Andy — Wed, 30 Apr 2008 19:06:00 +0000

The economic stimulus payments are starting to be sent. Email scams are frequent and it is worth reminding your customers of some facts. The IRS already has their information. There is no need to respond to any email requests for verification, or to direct deposit it versus sending a check. The IRS is using the same method of refunding for the stimulus payments as was selected by the taxpayer for any 2007 refund. If they opted for a check, a check will be sent to that address. If the taxpayer opted for direct deposit, that is where the stimulus payment will be sent.

Are your tellers and CSRs prepared to field your customers questions:

Will the bank tell me the money is in my account?
What if I have closed the account I had for my refund, but have a new account with you now?
How much am I getting?
When will my check be sent?

You should be prepared with resources and talk-offs for your staff.

Need to calculate your stimulus payment?
http://www.irs.gov/app/espc/

Want to know when payments are scheduled for delivery?
http://www.irs.gov/irs/article/0,,id=180250,00.html

Where the Phishing is Best

Andy — Mon, 07 Apr 2008 21:45:00 +0000

Symantec, the security software company, released its, "The State of Phishing" report. In February, the most popular of attacks were seeking money through fraudulent tax refunds.

Also of note, 84 percent of fraud activity was directed at the finance industry. Key targets were banking sites and e-commerce in general. 13 percent was targeted at information services where sending spam was the desired use of that information.

On a brighter note, the number of unique sites used for phishing fell 1.8 percent in February 2008 as compared to the month before.

You have an IRS refund, and someone wants it.

Andy — Tue, 11 Mar 2008 19:41:00 +0000

Even before the Economic Stimulus package was approved, scammers were sending emails wanting to verify consumers personal information to process their refunds. It is a scam and the emails are continuing to come.

The Federal Trade Commission has issued a warning to consumers advising them that the IRS and Social Security Administration do not collect refund or rebate information by telephone or email. This is a phishing attempt to get personal information over the phone or a phony website. This information could then be used to facilitate identity theft.

Urge your customers to keep their confidential information confidential. Consumers should not provide this information over the web and certainly not to someone who calls them. Even if the caller provides a number to call them back, consumers should verify that the number is correct. These scammers are known to provide fake call-back numbers that just ring in their offices, just like they'll provide false website addresses.

Watch Out for a Valentine's Day Storm

Andy — Thu, 14 Feb 2008 07:09:00 +0000

The FBI issued a warning that the Storm Virus may be attached to to St. Valentine's Day e-cards. The reader will have a link to click and that will take them to a malicious site where the virus can infect the readers computer.

If you are not expecting an e-card or don't know the sender, don't open the card.

The FBI asks that if you have received this, or a similar e-mail, please file a complaint at www.ic3.gov.

CAN SPAM Enforcement

Andy — Sat, 05 Jan 2008 00:52:00 +0000

You may not know the name Alan Ralsky or the names of the other ten defendants indicted with him, but there is a strong chance they know you...or at least your email address. Ralsky and ten others have been indicted in possibly the largest criminal spam and electronic fraud case in our history. They sent millions of spam messages every day including many of those pump and dump messages many of us received. This will represent enforcement of the CAN SPAM law as well as conspiracy, electronic mail fraud, mail fraud and wire fraud..

File Sharing Software - Tax Returns, Bank Statements and More

Andy — Thu, 15 Nov 2007 03:22:00 +0000

Gregory Kopiloff recently pleaded guilty to one count each of mail fraud, accessing a protected computer without authorization to further fraud, and aggravated identity theft. He was using file sharing programs like Limewire to commit identity theft. Individuals have been prosecuted for using these programs to share copyrighted music and movies in the past, but this was the first case, the Justice Department said, where they were used for identity theft.

Using the file sharing programs, Kopiloff accessed confidential computer files including tax returns, credit reports, bank statements and student financial aid applications. He also used old school methods to to gain this information including stealing mail and dumpster diving.

Kopiloff will be sentenced January 28 and faces 20 years imprisonment and a $250,000 fine for the mail fraud charge, five years imprisonment and a $250,000 fine for accessing a protected computer. Aggravated identity theft carries a two year sentence, which can be served consecutively with his other penalties.

Phishing in the Little Ponds

Andy — Thu, 18 Oct 2007 01:54:00 +0000

You might think that phishing only happens to the big nationwide and international banks where there is a big pool of users to increase the chances of getting results. Not always true.

Bank of the Cascades in Bend, OR has fallen victim to a phishing scam. Many of their customers are getting an offer to pay them $100 for clicking a survey link. In about ten days, early this month, 13 customers have fallen for this and provided confidential information to collect their money. The bank has replaced the $15,000 taken so far.

The bank has a warning on their homepage and a link to good information for internet banking customers so they can avoid a loss.

Are you prepared to react to a phishing attempt at your bank? What will you tell your customers, the press, post on your web site, and what information will you provide your CSRs to handle these issues? If you don't have a plan, there is no time like the present.

77 Arrests -- $2 Billion in Bad Checks

Andy — Fri, 05 Oct 2007 03:33:00 +0000

The U.S. Postal Inspection Service said that 77 recent arrests are the result of and international crackdown on internet crime. Sixty arrests were made in the Netherlands, sixteen in Nigeria and one in Canada. Three of the suspects from the Netherlands and Nigeria were extradited to New York where they'll stand trial. U.S. authorities are seeking the extradition of five others. These arrests also netted more than $2.1 billion in fake checks that were destined for the financial industry. Susan Grant, vice president of the National Consumers League, said the average victim loses about $3,000 to $4,000 and is not aware they have liability when the U.S. financial system requires checks to be paid, even though the check may not have cleared yet.

"We shut down Internet cafes, we arrested scammers, and significantly disrupted the flow of fake checks into the United States," said Greg Campbell, U.S. Postal Inspection Service inspector in charge of global security.

Is CAN SPAM Effective?

Andy — Mon, 17 Sep 2007 20:02:00 +0000

Recently FBI agent Thomas Grasso of the National Cyber-Forensics and Training Alliance, spoke at the Security Standard conference in Chicago. He said the FBI considers the CAN SPAM Act to be an effective tool in combating spam on the internet. He went on to say that even though a lot of spam originates outside of the U.S. our law enforcement agencies are now getting more cooperation from international law enforcement agencies.

Perhaps more cooperation is a key reason here as nobody saw the CAN SPAM Act as a silver bullet. It does help the prosecution of offenders in the U.S. but seems to be doing little to reduce spam in my in-box.

"There's a lot that's changed over the last 10 years," Grasso said. "It used to be if you trace an IP address back to Romania, you're not going to get somewhere with it. That's changed; we now have task forces working with these people overseas, and Eastern European police forces are aggressively going after this, because the problem is starting to affect them, too."

As to advice, Grosso was asked how Netizens should protect themselves. He said the cybercrimnals are getting through the firewalls and malware is being installed. "You need security solutions to be more comprehensive; you need to shore up the perimeter, but you need to worry about what's going on inside the network, too." And based on many press articles of late I'd agree. One recent survey showed many users felt they could connect any where and security was ITs job. That is a philosophy leading to failure. Security is everyone's job, from not sending confidential data through the wireless network at your local coffee shop to not using links from email sent to you by strangers.

Are You Ready for Some Football

Andy — Wed, 12 Sep 2007 17:27:00 +0000

The NFL started the regular season last weekend and many fans got a "special" email offering information about the new season. By visiting a linked website they could get an online game tracker which provided the games scheduled, channels to view them and statistics. What the user would get would be malware.

This is the latest incarnation of the Storm Worm. With the Storm Worm on a machine, it can be used to send spam and participate in denial of service attacks without the owner's knowledge. Storm Worm is estimated to comprise 25 percent of all detected malware. Because this program can be updated routinely, even every 30 minutes, the program is difficult to detect or remove regardless of how recent virus protection programs were updated on that machine.

User education is the best remedy for this problem. Do not trust email links, especially from an unverified source. If you were not expecting a "greeting card from your neighbor" or a link to a breaking news story or an NFL game tracker, don't click the link.

Pump and Dumps Can Work - Regrettably

Andy — Mon, 13 Aug 2007 13:38:00 +0000

Spam increased 445 percent for one day, according to Postini, a hosted e-mail filtering company. They monitored the volume and beginning August 7th and ending the 9th, they saw a huge increase which is attributed to a pump and dump scheme. Pump and dumps were discussed in my prior blog entry.

This attack had no virus. The goal seems to have been to get the stock value up for the company mentioned in the PDF attachment, Prime Time Group. The scheme seems to have worked as the value of Prime Time was up 60 percent on August 8th.

SophosLab detected 500 million of these emails. One thing that was different was the size of the PDF file. This one was 10 pages long. This may have been an attempt to thwart some spam filters looking for the traditionally smaller attachments spammers have been sending.

Consumer Report's 2007 study "State of the Net" projects that in the last two years U.S. consumers lost $7 Billion due to viruses, spyware and phishing schemes.

Are you seeing PDF Spam?

Andy — Fri, 10 Aug 2007 22:48:00 +0000

Is there a correlation between all these spam emails you've been seeing that you have a greeting card from a "friend," "neighbor,", "mate," as well as others, and the increase in other spam emails? Some think so.

Sophos, a security firm which monitors this believes the increase is directly related. Spammers used to send text messages. Then filters were made to look for certain words, phrases, patterns or the frequency of use of certain words. The spam filters did their job. So the spammers started using pictures of their messages embedded in the email. This got it through the word filters. But eventually some filters were catching up to these methods and the success rate at trashing the messages was increasing. So the spammers have gone to attached PDF files. Many users receive valid PDF attachments so canceling all these could be detrimental to business.

Sophos believes there is a correlation between the increase in e-greeting card messages and the PDF (attachment) spam messages. Netizens read the email and go to a linked site for their bogus greeting card. There, they get infected with malicious software (malware) and are unaware they are now being used to help send all these spam messages.

So far, the attachment spam has not been infectious. It is a "pump and dump" maneuver to artificially inflate some stocks value. The companies are not the problem, it is the investors trying to make the profit on a sale. The Security and Exchange Commission appears worried about stock spam. It suspended trading on 35 companies that had been promoted in email messages, last March.

While the PDF attachments have not been found to be harmful, as with any attachment, if you are not expecting it, don't open it. And if you are not expecting an e-greeting or don't recognize the sender or the site, don't go there to open it. And as alway, keep your virus files and firewalls on and up to date.

$14 Million in Losses, and Now You can Stop Counting

Andy — Tue, 26 Jun 2007 16:29:00 +0000

$14,000,000 is a big number. So is 28,000. That is the number of credit and debit card numbers that were recovered in an international identity theft ring bust.

The U.S. Secret Service worked with the French National Police (FNP) who arrested one of the fraud leaders known on the internet as "Lord Kaisersose" and three of his associates in France. IN Miami the Secret Service was executing search warrants of their own and recovered the 28,000 compromised account numbers. Losses attributed to those arrested are estimated at $14 million.

In a separate investigation the Secret Service coordinated with the FNP and the Calgary Police Service where one arrest was made. Online transactions conducted by "THEEEEL" revealed that he had purchased thousands of dollars worth of credit and debit card numbers. The search and arrest also recovered devices associated with this type of fraud including skimming and encoding devices as well as counterfeit credit cards.

The same operation that netted THEEEEL also helped arrest "Dron" a month earlier, also in Canada. Dron manufactured the skimmers and had a hundred that were being built at the time. He also had $30,000 in U.S. and Canadian currency that was taken.

It is nice to finally see a success story included with all the losses absorbed by the banking industry.

BBB Complaint - Review Carefully

Andy — Fri, 25 May 2007 16:41:00 +0000

Websense Security Labs is reporting another version of a pesky Trojan that was used earlier this year. This one comes in a Word document, attached to an official looking email from the Better Business Bureau. Be very cautious in your bank and ensure that whomever receives complaints is made aware of this one.

The email shows to be from "Better Business Bureaus [mailto:operations@bbb.org]" or "Better Business Bureaus [mailto:complains-serv@bbb.org]" and tells you that a complaint has been filed against your bank/business. It provides a name in the body of the letter. Examples I have seen show it from Mark Williams or James Macmaster, but this, like the "From" address could easily be changed. It goes on with case numbers and dates so as to appear official. Then it says the Word attachment contains instructions for your response as well as the original complaint. In fact it has a Trojan that will install a keylogger that will upload your data to an internet address in Malaysia.

It may well be time to remind employees NOT to open attachments they are not expecting, to scan them first and to ensure their programs are up to date for virus protection, firewalls, etc.

Phishing to Bashing

Andy — Wed, 25 Apr 2007 23:17:00 +0000

A new rash of threatening emails is taking phishing to a new level. Apparently targeted to higher income professionals such as doctors and lawyers, SecureWorks is reporting that emails are being sent direct to the recipients without the use of relays or other methods to disguise their origin. The messages purport to be from an assassin hired by a third party and threatening bodily harm. For a payment of $30,000 this harm can be avoided.

The message explains that the assassin has been following them for the last week and knows their routine. Further, the assassin doesn't believe this person has done what is claimed and wants to spare them their lives.

There was a less targeted series of similar threats several months ago. This prompted a January 2007 notice from the FBI to ignore the messages and not respond to them. One person did respond and what was likely easily obtainable information was used to reinforce the threat. According to the bulletin:

In one case, a recipient responded that he wanted to be left alone and threatened to call authorities. The scammer, who was demanding an advance payment of $20,000, e-mailed back and reiterated the threat, this time with some personal details about the recipient - his work address, marital status, and daughter's full name. Then an ultimatum:

"TELL ME NOW ARE YOU READY TO DO WHAT I SAID OR DO YOU WANT ME TO PROCEED WITH MY JOB? ANSWER YES/NO AND DON'T ASK ANY QUESTIONS!!!"

This may be an excellent time to ensure your bank executives and board are briefed on phishing expeditions and this one in particular. General information on not responding to these messages and preferably not opening them in the first place should be communicated.

Jan. 2007 FBI Bulletin

Perhaps a Picture is not Worth a Thousand Words

Andy — Tue, 13 Feb 2007 02:44:00 +0000

Banks are doing what they can reasonably do to enhance the security of their web sites. Reducing the success of phishers is one goal. Using pictures to help validate the web site is one quick and easy way for the bank and customer to communicate the authenticity of the site.

The customer is given a number of images and asked to select one. Then, they will always see that one on their bank's web site before they login. If a customer follows a bogus link to what they believe is their bank's web site, they won't see the one picture they had selected and won't enter their confidential username or password. The phisher will be defeated.

Recent articles originating from the UK have indicated that banks there have made big steps in educating consumers, but that the consumers simply were not getting the message. Further, there is discussion that the consumers should have greater liability when they fail to protect themselves. While there isn't any movement to increase consumer liability here in the US, the same message may be read as to educating consumers.

A recent joint study between Harvard and the Massachusetts Institute of Technology had 60 internet banking users visit Boston. These were all customers of one bank, using the picture verification for enhanced security. In a controlled environment they were asked to login to their bank's web site and conduct transactions. This was a bogus web site, with no picture to verify. Of the 60 users, 58 proceeded even though there was no picture. Instead they saw a message that the site was undergoing maintenance. The message even had a conspicuous typographical error.

The picture method is an easy way to enhance existing security at a reasonable cost. The use of a key fob with a frequently changing password or card with an access chip are other ways, but many consumers dislike the work involved in keeping an additional device handy and banks see them as cost prohibitive on many low-income yielding accounts.

Consumers need to be educated and they need to understand that this is one type of layered security, but like a chain, it is only as strong as the weakest link. Various layers of security will only work when they are properly employed.

Nordea Phishing Update

Andy — Fri, 26 Jan 2007 16:21:00 +0000

Reliable sources have increased the amounts involved to 8 million krona ($1.2 million U.S.), although the bank has yet to make any public announcement of the attacks. This story has reached several internet news sites and blogs.

The laws pertaining to customer notifications must be dramatically different than in the U.S.

For more information, see the related story in the January 26, 2007 TechTalk.

Trojan Phishers fill their Nets

Andy — Tue, 23 Jan 2007 15:02:00 +0000

The successful phishing and losses of a bank should get your attention, so that you can learn from them and prevent the same type of losses at your bank. It doesn't matter that this bank is outside the US, part of the crime happened here and this could be any bank.

Nordea, a Swedish bank, has at least 250 customers who fell susceptible to a Trojan. More than 100 other accounts are still being reviewed. The Trojan is activated when the customer logs into their internet banking account. The customer would receive an error message and their information would then be sent to the phishers in both the US and Russia.

Approximately 900,000 Swedish Krona ($129,000 US) has been stolen but as noted, more accounts are under review. The bank was able to identify some transfers early and stop them before they were losses.

Were the customers irresponsible because they had these Trojans on their computers? Should the bank have to accept the losses? US laws protect consumer accounts and the bank would suffer the loss in most cases either because of the laws or the fact that confidence in these systems must be maintained for growth. This means that prevention is the key ingredient to both confidence and growth.

When is the last time you reminded customers to update their virus protection programs, ensure their firewall was active and effective and perhaps provided an incentive for this. With the release of the new Microsoft operating system, many consumers are expected to upgrade their systems. Remind them, even show them, where these settings are and what they need to do to protect themselves from phishers, Trojans, viruses and the like. The dollars and time they save may be yours.

Government Phishes to Test Security

Andy — Fri, 22 Dec 2006 20:29:00 +0000

Several government agencies plan to use Core Security Technologies' CORE IMPACT software to self-test their employees on compliance with their IT/email security policies.

Some of these agencies include: the military services, Homeland Security Department and the Department of Veterans Affairs. Future plans for expanded use includes the Labor, Energy and Agriculture departments, the National Institute of Standards and Technology, the U.S. Agency for International Development, the U.S. Courts and the U.S. Postal Service.

"Businesses are recognizing the severity of client-side attacks and are demanding solutions that help them more accurately evaluate their potential exposure," Paul Paget, chief executive officer at Core Security, said in a statement.

This form of auditing should reveal real world results as to the effectiveness of the policies and training.

You Work While They Phish

Andy — Fri, 17 Nov 2006 16:06:00 +0000

Here is a recent email that ended up in my spam box.

IMPORTANT CHANGES COMING TO ONLINE BANKING - PLEASE READ

We've been working to implement new security enhancements to help deter fraud and ensure that we are providing you with the highest level of security while you are banking online. In the coming weeks, you will begin to notice a few changes to your online banking experience. Please note that for your protection, these new features will be required, but it will only take a few minutes of your time to walk through the set-up.
Most of the security enhancements are occurring behind the scenes. With the exception of a few initial steps on your part, you won't notice a change to the way you regularly manage your finances online.

The only thing you are asked to do is to update your personal information so our new security enhancements will be more effective.
To do that please click here and login to your Service CREDIT UNION online account.

You will notice one important change to the service prior to setting up your service questions and personal image: starting soon, when you log on to online banking, you will enter your user id on one screen and then enter your password on the next screen. In the background, we will be validating your user id.
Look for more information on these enhancements in the coming weeks.

Please do not reply to this message. For any inquiries, Contact Customer Service.

Service CREDIT UNION, N.A. Member FDIC, Equal Housing Lender
?2006 Service Credit Union. All rights reserved.

No, I do not have an account at the Service Credit Union. Nor do I think they are FDIC insured. But will a real customer of this institution pick up on the insurance, or will they divulge their confidential information first?

While you are working on your multi-factor authentication procedures, there are phishers working on getting your customers information. They hope this will lead to getting your money. We know this because phishing is working on fewer people, but those falling for it are losing more money. And who pays these customers back -- you do. It is your money.

As you work on multi-factor authentication or resolving customer losses next weekend, think about this. Symantec has researched the frequency of phishing attacks and sees a 30 percent dip in attacks over the weekends. We used to see many of these late Friday so the bank had a harder time reacting. Fortunately we're seeing fewer attacks against the banking industry. But that doesn't mean there are none. This is evidenced by the email I copied above and likely by your in-box as well.

Some considerations as we move into the year end when customers are vulnerable:
1 - Contact your customers and tell them how, when and why you'll contact them.
2 - Let customers know what information you won't ask them to verify in an email and if your email will be addressed to them personally. "Dear Andy" tells me they know me, "Dear Customer" or nothing at all tells me they don't.
3 - Educate customers and employees on how to report suspicious e-activity. Do you have a toll-free number and a web site link on your homepage? Do you offer seasonal security speakers to groups or invite groups into the bank?
4 - Have a written plan in place defining your phishing response plan.

How Much ID Theft Starts on the Web?

Andy — Mon, 30 Oct 2006 15:38:00 +0000

Last week, Javelin Strategy & Research released a study on identity theft. This reinforces some earlier reports we've read indicating that the majority of the theft does not start with those phishing emails or phony web sites. Despite some recent big losses at E-Trade Financial Corp. and TD Ameritrade, Javelin reports that 90 percent of the thefts start with the "old school" methods involving stolen bank statements, credit card bills, stolen checks and passwords, as examples. "The Internet always grabs the headlines, but it is individuals who are close to the victims, such as family and friends, that are doing most of it," said James Van Dyke, president of Javelin.

One in ten cases starts with the Web, email, a faked web site, or some other means of obtaining confidential consumer information. Javelin reports four percent of Americans were affected by identity theft in 2005. While this number is decreasing, the amount of each loss is growing. So there are fewer losers, but more losses.

While these numbers may influence your collateral materials and talk-offs to point your customers in the right direction for their own data security, financial institutions must remain ever vigilant in your own efforts. You must protect your customer data and you must encourage the customer to do the same. Even if a customer suffers a loss due to their own negligence, you may suffer the blame in whole or in part, and may still lose that customer as they try to re-establish themselves, but at another institution.

Promote to your customer what you are doing. Tout your efforts in multifactor authentication, tell the customer what you will be doing in the near future and what you won't be doing. Tell them you won't be asking them for their account number, SSN or debit card information. Tell them scammers out there may, and how they should contact you in the event someone does target them. Sometimes the best defense, is a good offense.

Phishing Doesn't Really Work, Or Does It!

Andy — Wed, 18 Oct 2006 22:01:00 +0000

Indiana University conducted a survey, "Designing Ethical Phishing Experiments: A Study of eBay Query Features" which may elevate your phears of being phished. While the Gartner Group estimated that three percent of recipients fall for these fraudulent messages, IU's study reveals a much higher number, 14 percent!

Gartner's estimates don't include unreported incidents as many people are embarrassed to admit it or don't know yet that they did. The IU study sent a faked message just as a phisher would. They elected an eBay fraud because of its popularity in the real world interface to cyberspace. A phishing message would normally send confidential information back to those wanting to commit theft. The IU message sent back a confirmation that the user had logged on. It could just as easily have been the confidential data. And these are not estimates, these are hard numbers.

Click here to read the PDF report"Designing Ethical Phishing Experiments: A Study of eBay Query Features."

A New Nigerian 419 Scam, Overnight Delivery

Andy — Tue, 17 Oct 2006 16:16:00 +0000

We're hearing of a new scam since so many are people are now familiar with the Nigerian 419 scam. The old scam was something like "I found $36 Million and it doesn't belong to anyone. I need to move it out of the country and I picked you to help me out of every other person in the world. I'll give you $4 Million if you help me."

The new scam includes the sale of an expensive motorcycle or car (Suzuki Katana GSX−600 4500 or a BMZ Z3 Roadster) offered through a site like autotrader.com or car.com. The sales price is too good to be true. But the buyer is asked to pay shipping and the ship-from site is usually in Spain or another European country.

The seller recommends they use an escrow site and then ship with DHL or Lufthansa Cargo. The websites and escrow companies referred to are faked. Some even caution the user to watch out for Internet fraud. And naturally, no shipping ever happens as there was nothing to sell.

While seen in Europe for now, this is yet another scam to watch for and to caution your customers about.

The Phishing is Good -- for the Bad Guys

Andy — Mon, 25 Sep 2006 23:56:00 +0000

Symantec reports that phishing in the first six months of 2006 is up 81% over the prior six month period. More than 157,000 unique phishing messages were found. Each of these could be sent to many thousands of netizens. The reason they keep going is because a certain percentage work. Another trend seen in the data indicates that the phishers have become more sophisticated. They're learning how to bypass the spam filters and other programs designed to keep them out.

Financial institutions must be ever vigilant in educating customers and teaching employees to watch for warning signs. Advise your customers how you'll contact them, if you'll ever need to verify confidential information, how to verify a request is valid prior to responding and where you'll post any information about Internet fraud (such as your homepage) in the event they suspect something is happening and is wrong. This is especially important if you are implementing multifactor authentication.

I received an email a few days ago advising me that I needed to visit the bank's website and enter some confidential questions which will be part of their multifactor authentication. It said I haven't been to the site since they began the program. But I had, and I knew I input the questions. I verified the authenticity of the request and then discovered that I had started, but not completed their process. Had that been a phishing expedition, I can easily imagine customers running straight for it. Even though it was valid, they didn't make it easy for me to validate their email and it took almost 8 hours for them to do. It could have been better.

Make it easy for your customers to know what is happening. Knowledge is power. Knowledge is fewer losses.

Phishing with a Social Engineering Hook

Andy — Fri, 23 Jun 2006 02:34:00 +0000

Here is the method: the phisher sends an email to the bank Security Officer, reporting a malicious web site that the bank may need to shut down. The enthusiastic Security Officer digs in to see what he'll be able to accomplish today but the site is a bust.

A month later the Security Officer discovers the email had malware and it infected his computer when he he opened it to go to the web site.

Not only do financial institutions need to keep software up to date to protect against virus, Trojans and malware, but users must be educated to avoid the pitfalls of social engineering. All users need training and reminding. Experts are seeing more targeted attacks in place of the mass phishing expeditions that were seen in the past. In this real life example, we see how one PC could be compromised and you would have to ask, what other systems, and what data could be exposed as a result of this first open door?