Tuesday, August 26, 2008

What should CUs do when members are phished?

MADISON, Wis. (8/21/08)--A rash of recent phishing and vishing attacks against financial institutions has many credit unions looking for procedures for reporting and squelching the attacks.

"Credit unions should have a contingency plan for these types of situations, similar to other business continuity plans," said Dorothy Steffens, vice president of web services at the Credit Union National Association (CUNA).

"The important piece is communication, to members and to staff." she said.

"Also, get the phishing site shut down and get the phone numbers disabled if it is a vishing scam, Steffens said. Credit unions can start by reporting the scam to its regulator and insurer.

But to shut down a scam attempt, the credit union will need help.

"IC3 (Internet Crime Complaint Center) has a website to report scams and it is very helpful in getting vishing phone numbers shut down," said Steffens. "I also always send every phish or vish to the Anti-Phishing WorkingGroup e-mail address." (See the resource links). How does a credit union get a phishing site shut down? "Credit unions with websites should have a procedure in place to check their Web logs for traffic that is indicative of phishes," Steffens said.

"There are a number of companies (such as CUNA Strategic Services partner, Perimeter) that will monitor the website for phishing activity. You can trace the URL address of the phishing site using http://www.betterwhois.com, which is the Internet Registrar," she said.

"Most phishing collection sites have been hacked into, and the owners of those servers usually are not aware that their systems have been compromised," she said.

"The Internet Registrar will provide an e-mail address of the technical contact and owner of the site, but in many cases these are in foreign countries, so having a relationship with a vendor will expedite the process for you," she explained.

How should a credit union alert its members about a phish? "As soon as a phishing scam is discovered, the credit union should put a notice on its website, possibly add a statement to its after hours mailbox, and let the tellers and call center staff know that the credit union is aware of the scam. Communication is critical," Steffens said. "At the time of a phish, the message should always be: the credit union would never ask for personal identification information via an e-mail or a website. Never, ever," Steffens emphasized.

"And if it is a vishing scam, where the recipients are asked to call an unknown number, the credit union again needs to remind its members that they should never call a number that they receive via an e-mail."

CUNA Mutual Group also has addressed the issue of phishing in a risk alert it sent Aug. 1 to policyholders, according to Vince Wagner, risk manager in credit union protection.

If a member is a victim of phishing/smishing/vishing, take the appropriate steps, he said:

Block and reissue the compromised credit/debit cards or the account that is at risk;
If not blocking the at-risk card number or account, use an authorization strategy to prevent fraud exposure;
Have the member report the incident to the credit bureau; and
Encourage the member to order a credit report.

CUNA Mutual's risk alert has an extensive checklist of steps to take to shut down a site and suggests using protective monitoring tools to ensure the credit union isn't susceptible to spoofing.

courtesy of cuna.org

No comments: