Accountholders at Chase in the United States and Barclays in Britain have been the targets of a rash of targeted phishing schemes.
Researchers at security firm GFI Software last month discovered customers at Chase had been targeted by phishing e-mails that provided links to spoofed Web pages that requested users submit sensitive online banking details.
The firm also discovered phishing hits aimed at Barclays, though the nature of the attacks differed a bit. In Barclays’ case, GFI reported that fraudulent warning e-mails about account suspensions had been sent to Barclays’ users. The e-mails, feigning to be security alerts from the bank, claimed that attempts to access online accounts had exceeded limits set by the bank, suggesting hackers had been attempting to break in. Attachments contained in the e-mails asked recipients to provide confidential data to reactivate their online accounts.
The attacks against Chase and Barclays were not rare. Targeted schemes, better known as spear phishing, are common. Similar attacks have been waged against NACHA – The Electronic Payments Association and the Federal Deposit Insurance Corp., just to name two. [See FBI Warns of New Fraud Scam.]
Banks: Cyberfraudsters’ Aim
Targeted attacks aimed directly at banks and banking accounts are becoming more standard as well. Last month, the Federal Bureau of Investigation and the U.S. Attorney for the District of Connecticut indicted 14 Romanians for their involvement in an identity-theft scheme that relied on phishing attacks to steal online banking credentials from customers at Connecticut-based People’s Bank. Customers at Citibank, Capital One, Bank of America, JPMorgan Chase, Comerica Bank, Regions Bank, LaSalle Bank, U.S. Bank, Wells Fargo, eBay and PayPal also were targeted. [See 14 Indicted in Phishing Scheme.]
Recommendations and the Need for Layered Security
Fraudsters have proven they can get around basic authentication techniques, including two-factor authentication.
The need for enhanced user authentication served as the catalyst for updated online authentication guidance from the Federal Financial Institutions Examination Council, which took effect this month. Federal banking regulators say banks and credit unions need to ensure they layer security measures, meaning user authentication must go beyond mere logins and passwords.
But a greater concern is online user behavior, since most consumers use the same login names and passwords for multiple accounts, including bank accounts.
That universal use of logins and passwords allows cybercriminals to piece together information that can later be used to compromise online credentials. “User names for social websites are often searchable using typical search engines and often the corresponding e-mail addresses are in plain view for casual Internet users and thieves alike to see,” says John Buzzard, who monitors phishing attacks and skimming trends for FICO’s Card Alert Service.
Fortunately, most phishing schemes are relatively easy to thwart, if practical precautions are taken. “It’s rather surprising to keep reading stories about phishing vulnerabilities since phishing varietals have been around since at least 2005,” Buzzard says.
Banking institutions can mitigate risks associated with phishing schemes by implementing tried and true best practices that limit exposure to a variety of Internet fraud types. Buzzard recommends institutions:
- Provide timestamps for online-banking sessions. Accountholders can look at timestamps to see when the last, and potentially, unauthorized log-in occurred.
- Deliver daily account alerts. “Consumers love the ability to establish their own rules so that they can be alerted to ATM withdrawals and daily balances,” Buzzard says.
- Leverage online banking websites for the delivery of important consumer messages. “A simple email alerting the accountholder that a critical communication is waiting for them inside of their online banking account really is an effective means to ensure that the consumer cannot only view but trust the communication’s content,” he says.
- Avoid e-mailing links. Financial institutions want to discourage consumers from clicking links. When e-mailing correspondence, just inform them to visit the official online-banking site. “Your customer knows how to find their online banking website and they already know how to reach you by phone,” Buzzard says.