Phishing Attacks on the RiseGlobal Effort is Only Way to Fight Threat to Banking Customers
It's just the latest spree in a long line of phishing and vishing attacks that have grown to be more selective in their approaches, using malicious e-mails or phone calls that send unsuspecting users to spoofed websites, where malware hijacks banking credentials.
The schemes are more targeted than they were 18 months ago, says John Buzzard, client relations manager for FICO, which provides decision management and predictive analytics solutions. Those targeted launches, which hit customers and members at specific financial institutions, often reap more rewards for the fraudsters.
"For the criminal, you get more out of targeting a specific institution, because a lot of these folks are not used to getting scammed," Buzzard says. "Oftentimes, they are targeting people who are not quite so savvy and don't have a lot of experience with the Internet and banking online."
In the USAA and Navy FCU cases, Buzzard says, targeting military families has proven profitable. "It's not that military members and their spouses are less savvy; but when you have one parent overseas fighting and the other at home taking care of all of the finances, they can be stressed and distracted and may not be paying so much attention," he says. "Stressed-out military spouses are juggling many things, and they could be in a hurry to respond to something without thinking about it thoroughly."
Phishing attacks won't go away until the banking industry launches a global effort to fight back, says Neil Schwartzman, senior security-standards director at Return Path Inc., an e-mail deliverability company. "The international piece is important, because we know where most of these phishing attacks are coming from," he says -- Russia.
The Cyber ConnectionPhishing attacks, Schwartzman says, are relatively localized, coming from former Soviet republics. But differing international laws and enforcement policies have made phishing perpetrators somewhat untouchable. It's an international issue that's been discussed at length at recent industry events, including the Federal Deposit Insurance Corp.'s Combating Commercial Payments Fraud Forum in May and the Payment Card Industry Security Standards Council's Community Meeting Community Meeting in September.
Howard Cox, the assistant deputy chief for the Computer Crime and Intellectual Property Section within the Criminal Division of the U.S. Department of Justice, says U.S. law-enforcement agencies are working around some of the international cyberwar barriers, but it's a constant battle.
"Ukraine and Russia will not extradite to the United States, so in those countries, we have to rely on tips to capture and arrest," Cox says. "Most hackers are in Eastern Europe, where it's not a crime to sell hacking code, and there are no laws against cybercrime."
Schwartzman says the cyberwar is heading "toward crisis proportions."
"We're seeing phishing overtake real-world bank robbery," he says. "I don't think there is a brand in the world that is safe right now. The phishers see it as a prospect for the next year."
Fighting Online Banking FraudDespite facing an uphill battle, Schwartzman and Buzzard say banking institutions should focus their attentions on more sophisticated modes of online fraud detection and consumer education.
"They need to make sure that they are authenticating all of the e-mails they send, and they need to be following best practices," Schwartzman says. And Buzzard says financial institutions should make their customers and members aware of how institutions will typically communicate information. "Let them know that you will not call them or send an e-mail that does not require them to log into their online banking account," Buzzard says.
Buzzard's Top 3 Tips for Banks and Credit Unions:
- Invest in consumer-quality technology, which allows users to set up alerts via e-mail and/or SMS/text to receive notice when account balances fall below certain levels;
- Authenticate the card CV value on ATM and POS transactions. "If a phisher steals card information and creates a counterfeit card, they won't be able to conduct a transaction at a POS or ATM, because that CVV or CVC value will not be there," he says;
- Monitor transaction history. Some phishers try to get CV information via brute force attacks, which entails repetitive testing of code combinations until they get a hit. "When the bank sees a card that's been tried 100 times for small-value transactions, that should be a red flag," he says.