Skip to content

Your Web Site Was Spoofed -- Now What? by John Burnett

Your Web Site Was Spoofed -- Now What?
by John Burnett

One of the more effective tools used by scam artists in phishing and pharming attacks is the "spoofed" Web site. The look and feel of a legitimate site -- often a financial institution's site, but any Web commerce site will do -- is copied, and the customer is fooled into entering information such as an Internet banking username and password, credit card information or other information that a criminal can use to fraudulently use the customer's account or steal the customer's identity.

Successful "spoofs" of your Web site can expose your institution to strategic, operational, and reputational risks. They can result in a risk of unintentional release of private customer information, and expose institutions and their customers to financial losses.

OCC Provides Strategy Suggestions
In its July 1, 2005, Bulletin 2005-24, the OCC provides suggestions that all financial institutions can use to form strategies for dealing with Web-site spoofing attempts. Institutions are advised to assign specific employees the responsibility for responding to spoofing incidents, and to train those individuals in effective response techniques. If Internet activities are outsourced, suggests the agency, contractual responsibility should be placed upon the service provider for managing and reporting spoofing incidents, in coordination with the institution's internal procedures.

Related Links
OCC Bulletin 2005-24 - Threats From Fraudulent Bank Web Sites
Word version Text version

OCC Alert 2003-11 - Customer Identity Theft: E-Mail Related Fraud Threats
Word version Text version

The OCC suggests that institutions establish advance contacts with the FBI and local law enforcement to coordinate response strategies with those authorities. The agency also recommends ongoing customer education programs designed to remind customers of safe computing practices, and of the characteristics of Internet-related scams, including spoofed Web sites and fraudulent e-mail messages.

Detecting the Spoofing Attempt
Detection of spoofing attempts involves more than management of customer complaints and incident reports. It requires active monitoring of information inside and outside the institution to detect possible indicators of fraudulent activity, such as:

  • E-mail messages returned to institution mail servers that were not originally sent by the institution. In some cases, these e-mails may contain links to spoofed Web sites;
  • Reviews of Web-server logs can reveal links to suspect Web addresses indicating that the institution's Web site is being copied or that other malicious activity is taking place;
  • An increase in customer calls to call centers or other institution personnel, or direct communications from consumer reporting spoofing activity.

Institutions can also search the Internet, using available search engines and other tools to scan Web sites, bulletin boards, news reports, chat rooms, newsgroups and other forums to detect usage of the name of the institution or related companies. These searches may reveal recent registrations of domain names similar to the institution's name. This effort can be outsourced to third parties providing monitoring services.

Protecting Against, and Responding to, Customer Information Breaches
CD-ROM Training

This CD-ROM training will help you understand the regulatory requirements, as well as the practical considerations, for developing and implementing your program. It also contains sample Web site language, sample customer notifications, suggestions for response team activities, and checklists for action. Order it now in the Banker Store!

Gathering Information
An effective response to a spoofing incident requires information about the attack. This information can be used both to assist law enforcement, and to help the institution shut down the fraudulent Web site. Information that can be helpful in these efforts includes:

  • The means by which the institution became aware that it was the target of a spoofing incident (e.g., report received through Web site, fax, telephone, etc.);
  • Copies of any e-mails (with header information, if possible) or documentation regarding other forms of communication (e.g., telephone calls, faxes, etc.) that were used to direct customers to the spoofed Web sites;
  • Internet Protocol (IP) addresses for the spoofed Web sites along with identification of the companies associated with the IP addresses;
  • Web-site addresses (universal resource locator - URL) and the registration of the associated domain names for the spoofed site; and
  • The geographic locations of the IP address (city, state, and country).

The Response
Institutions should establish consistent, structured procedures for responding to spoofing attacks. Effective procedures will be designed to shut down fraudulent Web sites, recover personal information from the spoofed site to protect customers, and preserve evidence for law enforcement. These efforts should be coordinated with the institution's legal counsel as needed. The OCC suggests that institutions include the following, as appropriate, in their response plans:

  1. Communicate promptly, including through written communications, with the Internet service provider (ISP) responsible for hosting the fraudulent Web site and demand that the suspect Web site be shutdown;
  2. Contact the domain name registrars promptly, for any domain name involved in the scheme, and demand the disablement of the domain names;
  3. Obtain a subpoena from the clerk of a U.S. District Court directing the ISP to identify the owners of the spoofed Web site and to recover customer information in accordance with the Digital Millennium Copyright Act;
  4. Work with law enforcement;
  5. Use other existing mechanisms (such as SARs) to report suspected spoofing activity;
  6. Write letters to domain name registrars demanding that the incorrect use of their names or trademarks cease immediately;
  7. If these demand letters are not effective, companies with registered Internet names can use the Uniform Domain Name Dispute Resolution Process (UDRP) to resolve disputes in which they suspect that their names or trademarks have been illegally infringed upon. This process allows companies to take action against domain name registrars to stop a spoofing incident. The UDRP can be relatively time-consuming. For more details on this process see; and
  8. Additional remedies may be available under the federal Anti-Cybersquatting Consumer Protection Act (ACCPA) allowing the institution to initiate immediate action in federal district court under section 43(d) of the Lanham Act, 15 USC 1125(d). Specifically, the ACCPA can provide for rapid injunctive relief without the need to demonstrate a similarity or likelihood of confusion between the goods or services of the parties.

Contacting Your Regulator and Law Enforcement
The OCC suggests that institutions targeted by spoofing attacks immediately notify their primary federal regulatory agency, and report the incident to the FBI and appropriate state and local law enforcement. Complaints can also be filed with the Internet Fraud Complaint Center, a joint effort of the FBI and the National White Collar Crime Center. Institutions can also work with "Digital Phishnet," a cooperative effort of industry and law enforcement designed to support the apprehension of criminals involved in phishing-related crimes, including spoofing.

Institutions can also forward suspicious e-mails to the Federal Trade Commission at

First published on 7/13/05

First published on 07/13/2005

Search Topics