Skip to content

Phishing for a Banking Solution

Phishing, coined in 1996 to describe the theft of AOL accounts, commonly uses spam e-mails and Web sites mimicking legitimate institutions to lure victims into providing sensitive information. And it?s back in the news as the IRS warns the public to disregard fake emails that claim to aid in the receipt of rebate checks.

In 2008, phishing attacks have continued to rise drastically; prompting popular internet search engine Google and internet browser giants Mozilla and Microsoft to set up additional security measures to combat it. While these attacks are broadening into other types of service industries, 90 percent of all strikes are still aimed at financial institutions, according to MarkMonitor, a brand protection firm.

Responding to the threat, in late 2007 the Federal Reserve issued the Red Flag rule which requires all financial institutions to conduct an ID theft assessment of their organization and, based on those findings, develop measures to mitigate the risks. On November 1, 2008, those safety measures must be in place. Violators will face potential sanctions and monetary penalties.

According to a component of the Red Flag rule, each financial institution must have a method to detect phishing activities and a means to police the attacks. As the online threat risks change daily, phishing detection increasingly requires constant Web site surveillance of a financial institution?s domains, trademarks and commonly used phases to ensure the safety of customer information. If a fraudulent Web site is identified, there must be a process in place to take it down quickly to avoid any further harm to the public, while deterring future attacks.

Although these two tasks seem rather simple, they are complex in their orchestration. Over 100,000 fake Web sites a month are posted to the Internet, a three-fold increase from last year, accordingKKM to Secure Identity Systems, a provider of managed, total identity theft protection systems. And phishers will continue to take steps to ensure that the process is as difficult and time consuming as possible often hosting their sites in developing countries with limited law enforcement. Banks aren?t equipped to handle the task of monitoring millions of domain name servers for Web site registrations seeking to defraud customers. To do so, requires a large search capacity and sophisticated tools.

After scouring the Internet and finding fraudulent Web material, financial institutions must analyze and organize each phishing incident according to the risk posed to the organization and its customers. Instituting a standard operating procedure is necessary to respond to threats before a situation occurs. Important questions to ask include: Who will handle all the logistics involved with taking down the Web site? If the Web site can?t be taken down right away, can access be limited? What is the standard response time from identifying a phishing Web page to taking it offline?

On November 1, financial institutions must have the answers to these questions along with additional safeguards in place to repel phishing attacks. Full compliance with the new regulations means having an accurate assessment completed and active programs that take in to account the total phishing risk across all access points.

Phishing will not go away any time soon. In fact, the current trend shows attacks continuing to rise. In 2007, phishing attacks nationwide soared as $3.2 billion was lost, according to a survey by Gartner, Inc. The survey also found over 3.5 million adults lost money in phishing incidents, compared with 2.3 million a year prior.

Methods at detecting fake sites are becoming more efficient. However, fraudsters are adapting and finding more technologically savvy methods to avoid notice.

Is your bank prepared for the Red Flag rule compliance and the next generation of phishing techniques? It?s not too late to find solutions.

Secure Identity Systems is the only company in the U.S. that offers the end-to-end solution for Red Flag compliance including: Initial Risk Assessment, Policies and Procedures Manual, New Account Authentication, Change of Address Verification, Identity Theft Protection with fully managed recovery, On-site Staff Training, and an Anti-Phishing Program. For additional information, please call (615) 377-7661, or e-mail:

First published on 8/04/08

First published on 08/04/2008

Banker Store View All

From training, policies, forms, and publications, to office products and occasional gifts, it’s available here:

Banker Store

hot right now

image description

Looking for effective, convenient training on a particular subject?

BOL Learning Connect offers more than 200 courses ON-DEMAND or on CD ROM from AML to Reg Z and every topic in between.

Search Topics