How to Respond to Vishing Attacks
Bank, State Association Share Tips for Incident Response Plan
April 26, 2010 - Linda McGlasson, Managing Editor
In early February, five financial institutions in four states -- Michigan, Wisconsin, Minnesota and Mississippi -- reportedbeing hit by telephone-based phishing, or "vishing," attacks.
Those incidents were part of a series of similar attacks that have targeted institutions and their customers since last fall.
Vishing is a form of phishing, where instead of people receiving an email trying to lure them into giving personal information, the criminal uses a phone call, either live or automated, to attack the bankor credit union customer and get critical information. (Here is an actual vishing attempt recorded by one institution.) In response to this spree of attacks, banking/security leaders from one of the impacted states have put together a vishing incident response plan for financial institutions.
Following are tips from Bill Lamb, the IT Manager at Central National Bank of Enid, OK., and ElaineDodd, vice president of the fraud division at the Oklahoma Bankers Association:
Vishing Incident Response Plan
#1. Set Procedures to Report Calls
Have procedure for employees to report at the time of first (and subsequent) notification. This should include:
• information on originating phone number (if known);
• any pertinent details of phone conversation or recorded message;
•what information was solicited (account numbers, debit card information)?
• did customer give out information and, if so, was account closed or debit card inactivated?
• what was the callback number if the customer was directed to return a call?
• was the call made to your customer's cell phone or a landline?
• if the call was to a cell, who was the carrier (eg ATT, Verizon,Sprint)?
Final del formulario
#2. Alert Customers
Notify customers as soon as you see a pattern of calls. Specifically:
• Explain phone phishing (vishing) and text message phishing (smishing) to customers reporting calls. Have a script ready for your call center staff to refer to that describes what it is, and actions that the customer needs to take when they receive such calls.
•Consider initiating a news article in your local paper or other media. This article needs to make clear that your bank is protecting customers with this information, and you have not suffered a breach. Non-customers will also be getting these calls, and that is proof that the calls are randomly generated to your area and not the result of any breach. This is a great time to reinforce that you willnever call, email, or text to have your customer provide an account number or debit card information, as you already have that information available. Encourage anyone receiving these calls to hang up and call their financial institution directly on a number that they obtain themselves. Also provide a reminder that any caller ID is easily "spoofed." Fraudsters can put in the number of any financialinstitution with a spoofing system and that will be displayed on the customer's phone.
• Place a banner with news of vishing attempts on your web page to let customers know that it is occurring in your area and you are protecting them through the notification. Consider adding signage and posters for drive-throughs and lobby areas to alert customers to the scam.
#3. Run Down the SourceIdentify the area code(s) on calls of origination and lines that customers are requested to call (simply Google the area code, "XXX area code").
If the calls appear to be generated in the U.S., contact your local FBI office and ask for their cybercrime specialists or white collar crime division, which will handle bank fraud. They can help to get the phone line shut down immediately. You will...