Phishing Season: Fraudsters Step Up Attacks on Financial Institutions

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Arizona Central Credit Union of Phoenix, AZ., was hit with a phishing attack via text message to its members in March. While the attack was distributed on a small scale and didn't have much impact, (only four non-members reported it, and the credit union claimed no losses) the incident did roust the credit union staff into quick action.

"This scam instructed the receiver to call a local phone number, so we classified this as a vishing (voice phishing) scam," says Adam Jones, VP and Chief Information Officer of the credit union. "Once notified, our staff performed a reverse lookup on the phone number to determine who owned it." The credit union then submitted a cease and desist letter to the company that owned the phone number. The company worked closely with the credit union to ensure all calls routed to this number were rejected within 45 minutes of notification. "Our cease and desist letter asks for forensic information but we were unable to obtain any in this case."

In previous vishing incidents, the credit union was able to obtain a list of calling numbers and recordings of the scam in an effort to notify the members and block accounts before fraud occurred.

Sadly, such incidents are a familiar refrain.

Financial institutions throughout the U.S. increasingly report similar phishing attacks. One banking executive who wishes to remain unnamed says, "We have experienced an alarming increase in all forms of phishing over the past year -- at least five to 10 legitimate phishing attempts a day." Another major Arizona financial institution reports that it is seeing anywhere from two to 20 attacks per day against its brand.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

Phishers Hone in on Targets
The Anti-Phishing Working Group (APWG) found in January 2008 there were 29,284 unique phishing reports from its member companies, which is an increase of 3,600 over the previous December. APWG also reports that financial services continue to be the most targeted industry sector at 92.4 percent of all attacks recorded in the month of January. The APWG phishing attack repository is the Internet's most comprehensive archive of email fraud and phishing activity.

Peter Cassidy, Secretary General of the APWG (www.antiphishing.org) says financial institutions should focus on increasing awareness of treasury employees -- those people inside banking organizations and other companies who are the CFOs or account managers with money responsibilities. "This is where we're seeing a marked increased in focused attacks from phishers," says Cassidy. "We can't put a number on them because they are so below the radar right now, but they are specifically targeting key executives and employees with treasury authority," he adds.

Noting the recent spate of fake subpoenas that were emailed to more than 20,000 business executives, Cassidy says this type of phishing attack has been around for about a year. "We even are hearing of regular consumers getting emails saying that there is a warrant out for their arrest," says.

In some of these orchestrated attacks, Cassidy warns, the focus is on key executives and employees. "They're even using live phone interviews, asking for the person to read off their two-factor authentication password to the phisher, who is posing as a security administrator or network administrator in the victim's own company."

This attempt is accompanied with a targeted email just to the victim, with crimeware attached, designed to mine the computer for credentials.

"They're focused on the person they're attacking; they're doing research down to the very human being they want to mine for data, either through social engineering or through technical subterfuge," Cassidy says. "They'll use everything possible up to the most expensive, live telephone contact."

In the case where the person has caller ID, the number can be spoofed to appear as coming from an internal number within the company.

Why would a phisher only focus on one or two employees? "If the attacker believes there is a six- or seven-figure [profit] to be made in this type of attack, it's worth it to them to get down into the very finest details," Cassidy says. "What's a surprise to us is that it took them this long to focus at this level."