Thread Options
|
#1454715 - 10/13/10 05:54 PM
Identity Theft?
|
Power Poster
Joined: Nov 2000
Posts: 2,701
PA
|
I must be having a brain freeze because I think this should be an easy question: If a customer discloses personal information in response to a phishing e-mail, has identity theft occurred at that point or not until the phisher actually uses the customer's information? I'm thinking it's already ID theft, but then the definition says ID theft is "a fraud committed or attempted using the identifying information of another person without authority." (emphasis mine) I've got myself confused.
Several of our customers responded to a phishing e-mail and I'm trying to figure out if I need to file a SAR, if it's an actual case of ID theft for my Red Flags report, etc.
_________________________
Opinions expressed are mine and not necessarily those of my employer.
|
Return to Top
|
|
|
|
#1454792 - 10/13/10 06:50 PM
Re: Identity Theft?
Deena
|
Power Poster
Joined: Nov 2004
Posts: 5,925
So Cal
|
I tend to agree with you Deena. Unless someone has attempted to use the information, I don't think ID theft has occurred (yet).
However, the phishing could be ID theft if the phisher impersonated, or used identifying information of, another person or entity to conduct the phishing. The impersonated entity could be the victim of ID theft here.
_________________________
I've just writed a wrong.
|
Return to Top
|
|
|
|
#1454856 - 10/13/10 07:59 PM
Re: Identity Theft?
Ted Dreyer
|
Power Poster
Joined: Nov 2000
Posts: 2,701
PA
|
We actually have the bank being notified that a customer has transmitted personal information in response to a phishing scam as one of our red flags, but now that we have the red flag, I just wasn't sure whether we actually had ID theft yet if the information hasn't been used. I do agree that the phishing scam itself is a crime and I suppose the bank is actually an ID theft victim since it was our information that was used to carry out the scam. Even if I don't have to file a SAR, if it's ID theft I have to report it as such when I make my annual report to the board, right?
_________________________
Opinions expressed are mine and not necessarily those of my employer.
|
Return to Top
|
|
|
|
#1454940 - 10/13/10 09:20 PM
Re: Identity Theft?
Ted Dreyer
|
Power Poster
Joined: Nov 2000
Posts: 2,701
PA
|
We have responded appropriately (according to our program), but I'm still not sure this is a "significant incident" since the information has not been used as far as we know.
_________________________
Opinions expressed are mine and not necessarily those of my employer.
|
Return to Top
|
|
|
|
#1454946 - 10/13/10 09:38 PM
Re: Identity Theft?
Deena
|
Power Poster
Joined: Nov 2004
Posts: 5,925
So Cal
|
Appropriate responses might also be to close the account and reopen a new one, have the customer change his/her PIN, reissue ATM/Debit Card, etc. It depends on what specific information your customer provided to the fraudster. These actions could be part of satisfying the requirement to prevent and mitigate the risk of ID theft as Ted noted. If you wait for the info to be used and something slips by, you might be criticized for not "preventing and mitigating" the risk.
_________________________
I've just writed a wrong.
|
Return to Top
|
|
|
|
#1455001 - 10/14/10 11:26 AM
Re: Identity Theft?
GuitarDude
|
Power Poster
Joined: Nov 2000
Posts: 2,701
PA
|
Thanks, GuitarDude, we've done all those things - they are all responses called for by our program.
_________________________
Opinions expressed are mine and not necessarily those of my employer.
|
Return to Top
|
|
|
|
#1455076 - 10/14/10 02:00 PM
Re: Identity Theft?
Ted Dreyer
|
Power Poster
Joined: Nov 2000
Posts: 2,701
PA
|
Ted, there is definitely a connection. Someone sent out a phishing e-mail that looked like it was from our bank. The e-mail was sent to both customers and non-customers. We have had at least three customers tell us that they provided information in response to the e-mail. I'm thinking I'll report this with my board report but I don't think we'll file a SAR. Would you agree?
_________________________
Opinions expressed are mine and not necessarily those of my employer.
|
Return to Top
|
|
|
|
#1455410 - 10/14/10 07:45 PM
Re: Identity Theft?
Deena
|
Power Poster
Joined: Sep 2001
Posts: 6,029
Sweet Home AL
|
I would consider that to be a significant event. At this point, you have no idea how many customers have been affected. You just know about the 3 that brought it to your attention. I would activate my incident response plan, file a SAR and call my examiner to discuss. They may have information about similar incidents that could help you better manage this breach event. Understanding your regulatory examiner's expectations can help you avoid criticism in the future.
_________________________
Life without Jesus is like an unsharpened pencil - it has no point.
|
Return to Top
|
|
|
|
#1455574 - 10/15/10 12:21 PM
Re: Identity Theft?
Ted Dreyer
|
Power Poster
Joined: Nov 2000
Posts: 2,701
PA
|
Thanks to all for your responses. As I said, I will definitely report it in my Red Flags report to the board. I still don't know about filing a SAR though. I have no dollar amount and no suspect, so what would I report?
_________________________
Opinions expressed are mine and not necessarily those of my employer.
|
Return to Top
|
|
|
|
|
|