Could Someone Successfully "Phish" for Your Customers?
by Andy Zavoina
If your customers received an email that purports to come from your bank, directing them to click on a link, go to "your" Web site, and enter personal information, or perhaps information relating to their account with you or their online user name or password, what are the odds they would fall for it? We hope the odds are small, but we've seen some of these scam emails recently that appear pretty convincing, and the OCC is worried enough about the rising incidence of this crime to put out Alert 2003-11 dealing with customer identity theft and email related fraud threats.
In case you're not familiar with the term, "phishing", the OCC says that it involves sending customers a seemingly legitimate e-mail request for account information, often under the guise of asking the customer to verify or reconfirm confidential personal information such as account numbers, social security numbers, passwords, and other sensitive information. In the e-mail, the perpetrator uses various means to convince customers that they are receiving a legitimate message from someone whom the customer may already be doing business with, such as a bank.
What can you to reduce your customer's susceptibility to this threat?
- Read the OCC's Alert;
- Protect your domain name against copycats, sound-alikes, and look-alikes. Revisit OCC Alert 2000-9 on protecting bank Internet addresses;
- Go check your domain name record online. Renew it for the maximum number of years. Make sure it's within your control and that the administrative and technical contact information is current and valid;
- Educate your customers about the fact that your bank will NOT communicate with them via email to ask them to enter confidential information. Remind customers that if they receive an email they believe to be from the bank, they should go to the bank's Web site by using a bookmark/favorite they've established for it, or by typing in the bank's address from their bank statement or other official bank correspondence. Post similar notices on your Web site;
- Warn customers about phishing and tell them what to watch out for;
- Take a good hard look at your customer authentication practices, and compare them to the guidance given in the FFIEC's publication "Authentication in an Electronic Banking Environment". Are you doing enough to reduce the chances for a customer's login and password to be compromised?;
- Tell customers about resources available from the FTC to help protect them, including their identity theft brochures and a new brochure called "How Not to Get Hooked by the 'Phishing' Scam". Mention these publications when you have an opportunity to communicate to civic groups, too.
The original version appeared in the SEptember 2003 edition of the Oklahoma Bankers Association Compliance Informer.
First published on BankersOnline.com
First published on 09/01/2003