How to Respond to Vishing AttacksBank, State Association Share Tips for Incident Response Plan
Those incidents were part of a series of similar attacks that have targeted institutions and their customers since last fall.
Vishing is a form of phishing, where instead of people receiving an email trying to lure them into giving personal information, the criminal uses a phone call, either live or automated, to attack the bank or credit union customer and get critical information. (Here is an actual vishing attempt recorded by one institution.) In response to this spree of attacks, banking/security leaders from one of the impacted states have put together a vishing incident response plan for financial institutions.
Following are tips from Bill Lamb, the IT Manager at Central National Bank of Enid, OK., and Elaine Dodd, vice president of the fraud division at the Oklahoma Bankers Association:
Vishing Incident Response Plan
#1. Set Procedures to Report Calls
Have procedure for employees to report at the time of first (and subsequent) notification. This should include:
- information on originating phone number (if known);
- any pertinent details of phone conversation or recorded message;
- what information was solicited (account numbers, debit card information)?
- did customer give out information and, if so, was account closed or debit card inactivated?
- what was the callback number if the customer was directed to return a call?
- was the call made to your customer's cell phone or a landline?
- if the call was to a cell, who was the carrier (eg ATT, Verizon, Sprint)?
#2. Alert Customers
Notify customers as soon as you see a pattern of calls. Specifically:
- Explain phone phishing (vishing) and text message phishing (smishing) to customers reporting calls. Have a script ready for your call center staff to refer to that describes what it is, and actions that the customer needs to take when they receive such calls.
- Consider initiating a news article in your local paper or other media. This article needs to make clear that your bank is protecting customers with this information, and you have not suffered a breach. Non-customers will also be getting these calls, and that is proof that the calls are randomly generated to your area and not the result of any breach. This is a great time to reinforce that you will never call, email, or text to have your customer provide an account number or debit card information, as you already have that information available. Encourage anyone receiving these calls to hang up and call their financial institution directly on a number that they obtain themselves. Also provide a reminder that any caller ID is easily "spoofed." Fraudsters can put in the number of any financial institution with a spoofing system and that will be displayed on the customer's phone.
- Place a banner with news of vishing attempts on your web page to let customers know that it is occurring in your area and you are protecting them through the notification. Consider adding signage and posters for drive-throughs and lobby areas to alert customers to the scam.
#3. Run Down the Source
Identify the area code(s) on calls of origination and lines that customers are requested to call (simply Google the area code, "XXX area code").
If the calls appear to be generated in the U.S., contact your local FBI office and ask for their cybercrime specialists or white collar crime division, which will handle bank fraud. They can help to get the phone line shut down immediately. You will also want to contact your local law enforcement contacts to alert them to the scam because consumers will be calling them to report the attempts.
If the calls are Canadian-based, contact the PhoneBusters in Ontario. This is the Canadian Anti-Fraud Call Center and is staffed by the Royal Canadian Mounted Police. They can be reached at www.phonebusters.com or 888-495-8501. They can assist in shutting down Canadian lines and will provide you with a reference number on your case in the event you secure additional information to report to them.
There are three great options for finding the carrier of a toll-free line. The first is a number that can be called to find out who the Responsible Organization (RespOrg) is for any toll free number, 800-337-4194. This is an IVR where you can enter the number and it will give you the carrier. The second is to search on such sites as www.customtollfree.com, where you often can find the carrier of the line. You (or your chosen law enforcement representative) can then contact the carrier directly to ask them to shut down the line, as it is being used for fraud. The third option is http://www.tollfreenumbers.com/resporg/ and can be used to track down numbers and call centers that handle the calls.
#4. Notify Telecomm Carriers
Lamb of Central National Bank in Enid, OK, has compiled a list of email addresses and a sample email that he uses to get lines shut down.
- Email addresses: 'QwestFraud@qwest.com'; 'email@example.com'; 'firstname.lastname@example.org'; 'email@example.com'; 'firstname.lastname@example.org'; 'email@example.com'; 'firstname.lastname@example.org'; 'email@example.com'; 'firstname.lastname@example.org'; 'email@example.com'; 'firstname.lastname@example.org'.
- Samples email text: Fraudulent Text messages are being sent to cell phones in Northeastern Oklahoma: "This is an automated message from XXXX National bank. Your ATM card has been suspended. To reactivate call urgent at 18775895978." This is an IVR that attempts to get card numbers and PINs. If this 877 number is yours please shut it down, if not please forward to the responsible organization.
Lamb says he's found the words "Criminal Activity" in the subject line help get faster responses.
#5. Make Customer Education a Priority
Keep the educational awareness of these types of scams in front of your customers by adding sections on the institution's webpage about the types of crimes that may happen. Add the same messages to your statement stuffers, call waiting feature and newsletters for added impact. Also be sure to tell your customers that no one will ever call them from the institution, soliciting information from them. Always remind your customers to alert you when they receive a call, text, or email from your institution that doesn't seem right.