Case Study: Bank Responds to Vishing Attack
How One Institution Mobilizes Against Phone-Based Phishing For most people, Friday afternoon is time to wrap up the week's activities and look forward to the weekend. For Bill Lamb, IT manager for Central National Bank in Enid, OK, it's time to wonder: "Will my customers be hit with another phone-based phishing attack?"Since last October, Central National Bank has been with three text-based and phone-based phishing attacks -- the most recent two happening within the past month.
"This week we are being targeted by automated calls to cell phones in this area, telling people that they need to press 1 to reactivate there card -- and people are falling for it," Lamb says.
He has experienced vishing attacks over the past several years, and to fight back he has developed an incident response program to track down and shut down the phone numbers.
The latest attack was less sophisticated than most. "The interactive voice response system (IVR) at the other end of the 800 number was generic," Lamb says. "All it talked about was 'National Bank.'"
Still, Lamb tracked down the owner of the 800 number by using the site http://www.tollfreenumbers.com/resporg, which told him RingCentral owned the number. Lamb found a customer service number for RingCentral, a call center in the Philippines. "After much holding and escalation, I finally got someone to tell me that they would have the fraud department -- which did not work weekends -- call me Monday," Lamb says. "That was the best they could do."
The good news: The bogus number was shut down sometime during over that weekend. "I did get a call from RingCentral's fraud department later in the week to report that they had investigated the number and had determined it as fraudulent and had shut it down."
Lamb thinks his bank is luckier than some - it hasn't suffered any reputational damage from the recent attacks. But he warns other institutions: "The reason the criminals keep coming back to a financial institution is that they've had success. A key part of stopping these attacks is customer education."
It is sometimes difficult to get the message through to customers - or even to typify the common victims. "We've even found that it's not the youngest or oldest customers that fall for these calls," Lamb says, "but the middle age people who don't think and then give out their information."
So far, Lamb says, only a handful of customers have fallen for the scams, and "many of them realized they suspected something suspicious and called the bank right away."
Time is of the essence, so Lamb recommends that institutions be ready to jump to action when alerted to an attack. His tips:
- Have an incident response plan prepared ahead of time. Tool kit should include law enforcement contacts, as well as local service providers' contact information;
- Cultivate and maintain good relationships with law enforcement;
- Remember what you learn from previous incidents - keep records;
- Most important -- educate your customers. They are your front line in these incidents.