Phishing Incident Response Plan Is Not Optional
A phishing incident response plan for financial institutions isn’t written just for good business practice, it’s also a regulatory requirement too.
While it is a challenge to put an incident response plan that meets your regulator’s minimum requirements, you also want to have a well thought out plan that can handle security incidents that may hurt your institution and its customers.
So where do you want to start? The FFIEC’s Information Security Booklet is the basis for much of the incident response requirements that federal regulatory agencies have issued.
The Office of Thrift Supervision’s advice to its banks: report incidents of phishing and other e-mail fraud attempts that target your institution to the OTS Regional Office immediately. Incidents should also be reported to appropriate law enforcement agencies. To read the OTS letter: CEO Letter 193
The Office of the Comptroller of the Currency’s bulletin outlines the steps banks should take to mitigate the risks of phishing. National banks must file suspicious activity reports, or SARs, if they are the target of a spoofing incident. To read the OCC bulletin: OCC Bulletin
The National Credit Union Association refers credit unions to the NCUA Appendix A to Part 748 of the NCUA Rules & Regulations for the incident response requirements. To read: NCUA Letter to Credit Unions
The Federal Deposit Insurance Corporation’s “Putting an End to Account-Hijacking Identity Theft†provides guidelines for how financial institutions can mitigate phishing risks. The document warns that “the financial service industry’s current reliance on passwords for remote access to banking applications offers an insufficient level of security†and describes better options, such as two-factor authentication. Putting an End to Account-Hijacking Identity Theft
What to Do
Don’t wait until your financial institution is hit with a phishing attack. Otherwise you’ll be spending more time figuring out what actions to take, rather than attacking the phishing attack itself. Whether it is done by a phisher who knows what they’re doing, or just a rank amateur with a downloaded phishing kit off of an internet site, you’ll need to have your management plans in place ahead of time. Whatever plan you decide on, and the team you assemble, should be well-honed and ready to answer customer and media inquiries.
You’ll need to know and/or decide on:
Reporting Phishing emails – You will need to decide where to tell your customers and others who receive suspicious emails with your insitution’s name associated with them. You need to set up a email address that is dedicated only to reporting fraud associated with your institution’s domain name. Something like ReportFraud@XYZBank.com and watch it, monitor it 24/7. Don’t have your customer service representatives responding to the emails. Information Security at your institution should be the staff receiving the emails and checking them first. Also, don’t be afraid to let your customers know about the fraud reporting email address. Encourage them to send in anything that they think is suspicious.
Take down or Redirect -- Will you take down the phishing site, or redirect unknowing customers to a site set up to educate them about phishing and fraud? If you decide to take down, decide if you can handle it, or if you should outsource it.
Third Party Vendor prepared -- Do you use a third party vendor to run your online banking, what are they ready to do if a phishing attack hits? Make sure your online banking vendor is responsive to any suspicious emails. Check your SLAs and other contracts to ensure proper coverage and sound information security practices; including a phishing incident response plan is in place at the vendor’s location.
Contacting Customers and Legal Action -- Who will call customers or send emails? This action and who takes it is really up to the individual institution, but know what your message will be, and be consistent. When it comes to dealing with criminal charges or other legal action against the phisher, let the lawyers step in and earn their pay.
Launch Counterattack -- Decide under what circumstances will your institution take action against a phishing site, such as feeding false customer information or doing a counter attack, taking advantage of weak programming in its coding.
Your incident response plan should outline how much information about the identity theft to give customers who fall for a phishing scam, and how this information will be delivered. (Do you email the customer information, send them a letter, or call them directly?)
Phishing Action Items
Watch Your Language -- Are you inadvertently training your customers to fall for phishing scams? Look at your marketing information and all material you send out to your customers, either via email, print or on the web. What message are you sending them, you want to make sure they know and feel comfortable in contacting your institution with questions. Educate the sales and marketing team about characteristics of phishing e-mails. Then, make sure legitimate e-mails don’t set off any alarms.
Call Your Law Enforcement -- Reach out and make contact with your local and state law enforcement, as well as the regional federal law enforcement offices and know who will be your contact. This saves a lot of phone time, figuring out who you need to speak to when a phishing attack happens. And remember, it’s not a matter of if, you need to be ready for phishing to happen at your institution.