Phishing Season: Fraudsters Step Up Attacks on Financial InstitutionsNew Scams Target Key Executives, Finance Employees
"This scam instructed the receiver to call a local phone number, so we classified this as a vishing (voice phishing) scam," says Adam Jones, VP and Chief Information Officer of the credit union. "Once notified, our staff performed a reverse lookup on the phone number to determine who owned it." The credit union then submitted a cease and desist letter to the company that owned the phone number. The company worked closely with the credit union to ensure all calls routed to this number were rejected within 45 minutes of notification. "Our cease and desist letter asks for forensic information but we were unable to obtain any in this case."
In previous vishing incidents, the credit union was able to obtain a list of calling numbers and recordings of the scam in an effort to notify the members and block accounts before fraud occurred.
Sadly, such incidents are a familiar refrain.
Financial institutions throughout the U.S. increasingly report similar phishing attacks. One banking executive who wishes to remain unnamed says, "We have experienced an alarming increase in all forms of phishing over the past year -- at least five to 10 legitimate phishing attempts a day." Another major Arizona financial institution reports that it is seeing anywhere from two to 20 attacks per day against its brand.
Phishers Hone in on Targets
The Anti-Phishing Working Group (APWG) found in January 2008 there were 29,284 unique phishing reports from its member companies, which is an increase of 3,600 over the previous December. APWG also reports that financial services continue to be the most targeted industry sector at 92.4 percent of all attacks recorded in the month of January. The APWG phishing attack repository is the Internet's most comprehensive archive of email fraud and phishing activity.
Peter Cassidy, Secretary General of the APWG (www.antiphishing.org) says financial institutions should focus on increasing awareness of treasury employees -- those people inside banking organizations and other companies who are the CFOs or account managers with money responsibilities. "This is where we're seeing a marked increased in focused attacks from phishers," says Cassidy. "We can't put a number on them because they are so below the radar right now, but they are specifically targeting key executives and employees with treasury authority," he adds.
Noting the recent spate of fake subpoenas that were emailed to more than 20,000 business executives, Cassidy says this type of phishing attack has been around for about a year. "We even are hearing of regular consumers getting emails saying that there is a warrant out for their arrest," says.
In some of these orchestrated attacks, Cassidy warns, the focus is on key executives and employees. "They're even using live phone interviews, asking for the person to read off their two-factor authentication password to the phisher, who is posing as a security administrator or network administrator in the victim's own company."
This attempt is accompanied with a targeted email just to the victim, with crimeware attached, designed to mine the computer for credentials.
"They're focused on the person they're attacking; they're doing research down to the very human being they want to mine for data, either through social engineering or through technical subterfuge," Cassidy says. "They'll use everything possible up to the most expensive, live telephone contact."
In the case where the person has caller ID, the number can be spoofed to appear as coming from an internal number within the company.
Why would a phisher only focus on one or two employees? "If the attacker believes there is a six- or seven-figure [profit] to be made in this type of attack, it's worth it to them to get down into the very finest details," Cassidy says. "What's a surprise to us is that it took them this long to focus at this level."
Phishing Incidents Increase
Phishing attacks on financial institutions and their customers across the globe have increased steadily over the last six months, according to the latest fraud report from security software specialist RSA. The vendor's March Online Fraud Report says globally the number of banking brands targeted by phishing attacks reached 225 in March -- an all-time high. Of these, 16 new financial institutions were attacked in March. RSA reports U.S. bank brands are the most targeted with 69 percent of attacked entities from the U.S. The targeted institutions break down as such:
RSA attributes the record numbers to a spread of phishing across new verticals and geographic regions.
The IBM Internet Security Systems X-Force group notes in its report of security threats and vulnerabilities for 2007 that of the top 20 companies targeted by phishing in 2007, 19 are in the banking industry. Avivah Litan, a security analyst at Gartner Inc., a national research company based in Stamford, CT., talks to institutions of all sizes and hears of small regional banks that "you'd never expect to be on the criminals' radar that are being hit with these attacks," Litan says.
Even small, rural banks are being targeted, she says. "Phishing is not confined to the big cities and the Bank of America banks, although they're still getting hit," she says. The bigger banks have put in a lot of fraud detection systems and the two-factor authentication systems, she notes, and although those authentication systems have been attacked successfully, "the criminals would still like to go after easier prey."
The report issued by Gartner on phishing in December 2007 really understates the problem, Litan says. "The other problem is financial institutions are not very forthcoming in the losses they are sustaining due to these types of attacks. I don't know if any bank would want to come forward and say they lost millions because of these attacks."
Indeed, there is a question of whether many institutions even know they are being phished. The 2008 State of Banking Information Security survey finds that nearly 40% of respondents' institutions have been phished over the past two years. But because phishing occurs outside the institution, we know that a significant number of businesses simply are not aware of the activity -- not until their customers tell them.
Litan warns that many in the industry don't realize how serious the problem is. "I'm not just spreading fear. There are some institutions out there that are bleeding," Litan says.
Institutions often find out first from their customers or other consumers that their brand is being used in a phishing scam. Educating customers and employees about phishing and its different forms is the first step to take in the fight against the crime, says Jason Stead, Information Security Manager at First National Bank in Scottsdale, AZ. "Our goal is to educate customers on the signs and dangers of phishing attacks, regardless of the medium. We provide regular communications to our customers on phishing dangers, as well as provide educational material on our websites."
Arizona Central Credit Union's best form of prevention is education of both staff and members. Jones says the credit union's staff is trained on how to respond to these types of scams "when they are hired and at least annually thereafter." Jones says the credit union staff is trained on how to respond, "Notifying the correct people to start with gets the scam shutdown much faster," Jones says. "We have also hired a third-party vendor to assist with some of the difficult takedowns."
It's easier to get money out of an institution that doesn't have fraud detection than some institution that does, but they can get them out of both, says Gartner's Litan. Her advice for all institutions, no matter the size: "First thing you have to do is monitor money transfers really carefully. Step number one if you're under attack is to scrutinize all money transfers, including bill payment systems."
The second step is to put in stronger fraud detection mechanisms and authentication. "Criminals are getting better at cross channel attacks -- they'll log into an online banking account," she says. Maybe they will just log on to look around and not move any money. Then they'll call the call center and change something on the account, such as getting checks mailed to them. They may not be moving money out of online banking, so the institution has to look at all the channels. Areas to watch include checking, call centers, ATMs and any links to other accounts.
Litan notes that many of the established fraud detection vendors' technology is already getting out of date. "They're okay for looking at the online channel, but they're not broad enough for the new ways criminals are moving money out of customer accounts," she says.
Beginning in May, HSBC's retail division in the UK will begin using software to visually demonstrate that its websites are genuine and help prevent its customers becoming victims of increasing numbers of phishing scams. The bank will use the extended validation SSL from security vendor VeriSign to give its three million online customers reassurance that they are using a genuine HSBC website.
See Sidebar: Phishing Victims Fight Back