Alert 2003-11 | September 12, 2003

Customer Identity Theft: Email-Related Fraud Threats

To

Chief Executive Officers and Chief Information Technology Officers of National Banks, Federal Branches, Service Providers, Department and Division Heads, and Examining Personnel

Purpose

This alert is intended to raise awareness of an increasingly common Internet fraud called "phishing" and encourages banks to educate their customers, strengthen monitoring systems, and enhance response programs to reduce the potential risk to their organizations and customers.¹

Background

The FBI's Internet Fraud Complaint Center (IFCC) reports a steady increase in complaints involving unsolicited emails directing consumers to a phony "customer service" website or directly asking for customer information. These scams are contributing to a rise in identity theft, credit card fraud, and other Internet-based frauds.² E-commerce customers, including bank customers, have fallen victim to these scams.

Phishing involves sending customers a seemingly legitimate email request for account information, often under the guise of asking the customer to verify or reconfirm confidential personal information such as account numbers, social security numbers, passwords, and other sensitive information. In the email, the perpetrator uses various means to convince customers that they are receiving a legitimate message from someone whom the customer may already be doing business with, such as a bank. Techniques such as a false "from" address or the use of seemingly legitimate bank logos, Web links, and graphics may be employed to mislead the customer. After gaining the customer's trust, the perpetrator attempts to convince the customer to provide personal information and provides one or more methods for the customer to communicate that information back. For example, the email might include a link to the perpetrator's website that contains a form for entering personal information. Like the email, the website is designed to trick the customer into believing it belongs to the bank. Alternatively, the email might simply include an embedded form for the customer to complete. The ultimate goal of this fraud is to use the customer information to gain unauthorized access to a customer's bank or financial accounts or to engage in other illegal acts.

Risk Mitigation for Email-Related Frauds

Banks should implement appropriate controls consistent with the security process described in the Federal Financial Institutions Examination Council's (FFIEC) "Information Security Booklet." Management should consider the following actions to help prevent, detect, and respond to the threat from email-related frauds:

Prevention

Provide notices on websites reminding customers that the bank will never request confidential information through email and to report any such requests to the bank.
Print warnings and notices on customer statements or other paper mailings.
Improve authentication methods and procedures to protect against the risk of user ID and password theft from the customer through email and other frauds. Authentication methods solely reliant on shared secrets (e.g., passwords) are more susceptible to phishing schemes than stronger authentication methods.³
Review and, if necessary, enhance practices for protecting confidential customer data.
Maintain current website certificates and describe how the customer can authenticate the bank's Web pages by checking the properties on a secure Web page.
Refer customers to or use Federal Trade Commission (FTC) resources to develop educational brochures to explain the red flags and risks of identity theft.
- FTC, "How Not to Get Hooked by the 'Phishing' Scam," July 2003
- FTC, "ID Theft: When Bad Things Happen to Your Good Name," September 2002

Detection

Monitor accounts individually or in aggregate for unusual account activity such as address or phone number changes, large or a high volume of transfers, and unusual customer service requests.
Monitor for fraudulent websites using variations of the bank's name.⁴
Establish a toll-free number for customers to verify requests for confidential information or to report suspicious emails.
Train customer service staff to refer customer concerns regarding suspicious email request activity to security staff.

Response

Incorporate notification of known email-related frauds into the response program to alert customers of fraudulent requests for information and to caution them against responding.
Establish a process to notify Internet service providers, domain name issuing companies, and law enforcement to shut down fraudulent websites and other Internet resources that are being used to facilitate phishing or other fraudulent email practices.
Increase suspicious activity monitoring and employ additional identity verification controls.
If fraud is detected in connection with customer accounts, the bank should report the fraud and consider offering its customers assistance consistent with the comprehensive guidance on reporting and customer assistance given in OCC Advisory Letter 2001-4, "Identity Theft and Pretext Calling."

In the event your institution is a victim of an email-related scam, you should promptly notify your OCC supervisory office. As appropriate, you should also report the event to law enforcement by filing a Suspicious Activity Report.

Questions regarding this alert should be directed to Clifford A. Wilke, director for Bank Technology Policy at (202) 874-5920 or clifford.wilke@occ.treas.gov.

Ralph E. Sharpe
Deputy Comptroller for Technology

¹Refer to the FFIEC Information Technology Examination Handbook's "Information Security Booklet" located at www.ffiec.gov.

²Federal Bureau of Investigation Press Release, "FBI Says Web 'Spoofing' Scams are a Growing Problem", July 21, 2003.

³Refer to OCC Advisory Letter 2001-8, "Authentication in an E-Banking Environment."

⁴Refer to OCC Alert 2000-9, "Protecting Internet Addresses of National Banks."

Topic(s):

Identity Theft