Jay Butler, Senior Technical Consultant
In last quarter’s installment, we looked at ten ways computer users can help prevent malware as a human supplement to the electronic security layers deployed at your financial institution. Those guidelines are also helpful in thwarting email born phishing attacks that slip past security, but they are essentially useless against vishing or smishing. Phishing attacks are known as vishing when a criminal attempts to trick their victim into revealing private information over the phone; the smishing method uses text messages.
Because vishing/smishing attacks occur outside the electronic fortress protecting your computer network, the human factor may be the only barrier in preventing successful exploits. Effective defense for vishing/smishing and the more common phishing requires a strong commitment toward customer education, not just employees. Educate your customers about the various methods used to trick them into revealing private information. Use your website to explain what the different attacks are and how they work. If you become aware of a trend in your area or a direct attempt, publish that information on your website along with a general statement that your financial institution is taking action.
Use more confidential methods to reveal how you will and will not communicate to your customers. I suggest revealing as little as possible publicly about the specifics concerning how your financial institution communicates to its customers. Instead of advertising these details to anyone on the Internet, including would-be hackers and data thieves, I recommend using more secure methods such as Internet banking, account statements, and other direct mailings.
Besides these proactive ideas, you also should be prepared for a potential event. BankInfoSecurity.com posted an article in April (Linda McGlasson, 2010) that outlines a good vishing incident response plan created by two banking/security leaders from a state hit by a vishing spree. Here is a summary of that plan:
- Set Procedures to Report Calls – Have a procedure for employees to report at the time of first (and subsequent) notification. Employees need to know what information to gather.
- Alert Customers – Explain phone and text message phishing. Consider initiating a news article. Place a banner on your website to inform customers about the scam.
- Run Down the Source – Find out where the attack came from and the numbers customers are requested to call. Have the number shut down by determining the carrier and contacting them.
- Notify Telecomm Carriers such as AT&T, Verizon, Sprint, Qwest, Alltel, TMC, and Level 3 via their published abuse/fraud email addresses. Ask to have the number(s) shut down due to suspected fraudulent criminal activity.
- Make Customer Education a Priority – Use your webpage, account statements, automated phone systems, and newsletters.
Please take the time to visit http://www.bankinfosecurity.com/articles.php?art_id=2457&pg=2 and read the entire article that includes important details for an effective response. Afterward, meet with your technology committee to create your own specific plan and incorporate it into your broader information security policy. Plan and implement a strategy to keep employees and customers educated about threats directed at them. Sign up to receive newsletters from sources like BankInfoSecurity.com and CUInfoSecurity.com. CUInfoSecurity.com has an excellent article on yet another method used to “phish” private information, phishing via fax. These two sites are excellent sources of security information for community financial institutions. Increased awareness is our best defense in an information age that attracts new criminals who engage in an ever-evolving array of increasingly sophisticated white collar crime. We should strive to educate people with the same tenacity we use to secure computers.
While the traditional email phishing is most common, a number of factors make the vishing/smishing derivatives an attractive new tool for crafty information thieves:
– Most phishing attacks are filtered out by today’s advanced email scanners that provide no protection from voice or text driven attacks.
– People’s growing suspicion of email is improving the identification of traditional phishing attempts, but people may not be as keen to phone or text based attacks.
– Criminals realize that highly regulated financial institutions must continually evolve their electronic security to protect sensitive information.
– Financial institutions can train employees more effectively than they can inform customers.
– The anonymity of using VOIP technology has emboldened the vishing criminals much like email does for phishing.
Linda McGlasson, M. E. (2010, April 26). How to Respond to Vishing Attacks. Retrieved 7 26, 2010, from BankInfoSecurity.com: http://www.bankinfosecurity.com/articles.php?art_id=2457&pg=1