Phishing Schemes: The New Wave Wells Fargo, TD Bank Respond to Scams Targeting Customers
As summer draws to a close, banking institutions and their customers face a new wave of targeted phishing attacks - and industry experts predict these incidents will only increase in the months ahead.

In recent days, both Wells Fargo Bank and TD Canada Trust alerted customers of targeted, or spear attacks. And in Idaho, the Attorney General and the Idaho Bankers Association issued their own consumer warning about the schemes, which included fraudulent phone calls to numerous consumers in the state feigning to be from Wells. In addition to Wells, the Idaho AG's Office also warned that targeted voice and text attacks had been linked to Idaho's Boise Federal Credit Union and Home Federal Bank.

"These messages are designed to reach as many potential victims as possible," said Attorney General Lawrence Wasden. "The senders do not know anything about you or your card. Many people who have received the messages do not have accounts with the bank or credit union purportedly sending the message."

The calls and texts, often referred to as vishing and smishing, reportedly told consumers their credit and/or debit cards had been compromised, and then asked recipients to call a phone number to provide personal banking information to have the cards reactivated.

"Your bank will never contact you to ask for your account number," Wasden said. "Your bank already knows your account number. These messages are 'phishing' attempts by people trying to steal your account information so they can steal your money."

The Idaho AG's Office, in response to heightened online and phone-based schemes, now publishes an identity theft manual to help consumers whose personal information has been stolen.

Wells spokesperson Michele Rene Scott, who focuses on online and mobile banking, says phishing attacks of all forms and method are major concerns. "Generally, fraudsters don't know if people they send phish messages to are Wells Fargo or Wachovia customers," she says. "They simply hope that a percentage of their messages will be received by actual customers." [See Phisher Sentenced to 12 Years.]

Banks and CUs Take Aim

Phishing attacks are on the rise, and financial-services are more often than not the target.

Dave Jevans, head of the Anti-Phishing Working Group, a global consortium of IT leaders aimed at stunting the rapid growth of online attacks, says banks and credit unions need to brace themselves for more attacks aimed at customers, members and institution employees.

"Banks and their customers are among the biggest targets of phishing and spear-phishing," Jevans says. "Banks represent about 55 percent of phishing attacks, and payment services such as PayPal are 25 percent. So, 80 percent of all phishing is targeted at banks and payment services." And that should be alarming.

According to a June APWG survey, about one-third of the survey's 270 respondents said they had been repeat victims of phishing attacks. Website security vulnerabilities were cited as being the most common gaps cybercriminals abused.

APWG says organizations are not properly monitoring for anomalous behavior or suspicious traffic patterns that could indicate previously unseen, zero-day attacks. Earlier this month, the Federal Deposit Insurance Corp. announced a phishing scheme that was targeting consumers under the veil of the FDIC.

In the wake of Hurricane Irene, the Federal Bureau of Investigation on Monday issued a statement about the potential for fraudulent e-mails that appear to be from charitable organizations or other institutions interested in relief donations. "Disasters prompt individuals with criminal intent to solicit contributions purportedly for a charitable organization or a good cause," the release states.

The FBI release links to a note prepared by the Internet Crime Complaint Center [IC3] about fraudulent contribution schemes. Scams after disasters aren't new. Just last year, phishing schemes targeted financial institutions and customers after the BP oil spill.

For its part, Wells Fargo says it is taking online fraud prevention seriously. In addition to 24/7 monitoring for new text, voice and e-mail phishing schemes, the bank has been working with Internet service providers and others to shut down scams once they're identified.

"Wells Fargo monitors for suspicious account activity, such as behavior or transaction type, across multiple channels," Scott says. "In the event suspicious activity is detected, we take unique, customer-specific action which may include customer contact. While I can't provide more details, I can tell you that we take our customers' security very seriously."

Wells also provides online and mobile banking fraud prevention and security tips through its online Fraud Information Center.

TD Canada Trust and TD Bank in the U.S. have taken similar approaches. In response to the phishing scheme it identified last week, which was targeting users of TD Canada's EasyWeb Internet Banking platform, TD Canada warned customers not to respond or click any links if they received an e-mail appearing to be from the bank.

"Any TD customer who encounters or believes they may have been the victim of online fraud (i.e. phishing, spyware, email fraud, etc.), is asked to contact the bank through its Online Fraud Window and to forward any supporting documentation (such as copies of e-mails, anti-virus/anti-spyware scan logs) to phishing@td.com," TD Canada said. [See TD Bank on Customer Education.]

Joshua Corman, director of security intelligence for Akamai Technologies, says phishing attacks will only grow. They're hard for banks to fight, and they yield high rewards for fraudsters without requiring much difficulty or challenge.

"People use phishing because it works, and it's incredibly hard to defend against," he says.

Certain types of phishing or vishing attacks will spike, once a phishing "crew" or ring identifies a method that is met with success. "It's just the natural evolution for phishing," Corman says. With targeted attacks, once a scheme is deemed successful, fraudsters exploit it.

"There has been a trend toward much more targeted attacks; not to specific individuals in an organization, but targeting more specific companies, like a specific bank," Corman says. "And the AV [anti-virus] guys can't keep up. It's a customized malware, and that's not something AV software can easily fight."


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.





Around the Network