Preparing for Phishing Attacks – Best Practices Learned through Experience

Those getting their first taste of phishing are especially vulnerable – and 95% of institutions have NOT been hit yet. The time is now to get prepared, as phishing has been branching out rapidly to a wider variety of targets.

In our experience, the third question people ask us, after, “can you kill this attack,” and, “how much will it cost,” is usually, “what else can I do to protect my customers?” While every situation is different, there are several common sense approaches that we recommend to all. There are also a few insider secrets to know about and pitfalls to avoid that many institutions have had to learn the hard way. We’ve pulled together the following “baker’s dozen” list of top tips from a series of presentations we’ve given (and heard) over the years to the Anti-Phishing Working Group (APWG), Digital Phish-Net, and numerous financial services industry conferences.

The aim of this piece is to help you learn from others’ experiences and get prepared now. Implementing many of these ideas up front can make your institution better prepared for an attack and eliminate critical holes you may currently have in your defenses. Even if you’ve weathered a few phishing attacks already, there are many things that can be learned from others, so don’t stop here – ask around! Industry groups and your peers at other institutions have a wealth of knowledge and experience to share.

Anti-Phishing Checklist: A Baker’s Dozen

Be Prepared – Organize and pre-position assets: While getting prepared seems obvious, many victim institutions are not ready when phishing happens to them. Poor up-front preparation and not knowing “who’s in charge” are probably the biggest contributing factors in a successful first phishing attack against an institution. Many institutions can be overwhelmed by a flood of inbound customer complaints, and the phishing site may stay up for days if no plan has been made beforehand for how to deal with an attack. So get ready.

1. Designate a responsible “owner” within the organization and assemble a response team. Despite growing awareness of the phishing threat, most institutions are still caught unprepared when it happens to them.
2. Make it easy for customers to report attacks. Have an e-mail address for reporting at phishing@bankname.com and information on reporting procedures on your website.
3. Use your website to inform and update customers before and during attacks. Keep updates on your site so your customers don’t fill up your phone lines.

   Implement preventive tactics to protect your site and customers: There are several measures that can be put in place now, both technically and procedurally, to make your institution a less appealing target for phishers. Since phishers act a lot like direct marketers, they will go after the most appealing, highest return targets and pass up on “hard” targets.

4. Make sure you have Track 2 CVC/CVV coding ENABLED – This is the #1 Issue for banks and credit unions. This is NOT the code printed on the ATM card, rather it’s the secret one embedded in the magnetic strip on the card. Phishers are relentless when this is a problem – you can expect several attacks per day since they can cash out accounts directly with impunity. Credit unions are particularly at risk here with higher daily limits on ATM withdrawals.
5. Make sure you are fully protected from the latest phishing vulnerability exploits in your on-line bill-pay, account transfer, and ACH systems. Recent phishing attacks have netted over $100,000 from a single account using ACH transfers – that’s real money and your best customers being cleaned out.
6. Pre-emptively register and/or recover high risk domain name variants – own your bankname in major variants (net/org etc.), along with high-risk terms (e.g. bankname-login.com). Controlling your domain space not only protects against phishing, it protects your brand, and is really cheap insurance. It’s also a very public way of letting the bad guys know you’re on top of your game and makes you a less attractive victim. Microsoft has had great success with this tactic: http://www.microsoft.com/mscorp/safety/education/default.mspx.

   Monitor for active attacks: Usually the most effective “watching” for phishing attacks is in your own hands. An effective internal monitoring program can catch 90% or more of phishing attacks while still being low-cost and timely.

7. Monitor e-mail - both returned “blow back” for bounced phishing spam and customer reports to your reporting address – like phishing@bankname.com described in #2 above – every hour of the day and night, 24/365. Watching for returned e-mail is specifically part of the proposed new federal “Red Flag” regulations for identity theft.
8. Analyze your website logs for suspicious activity – you can spot precursors to new attacks and stop them prior to launch. This can be done with your current web log tools or third party products that add other useful fraud alerting.
9. Add in 3rd Party Monitoring for a variety of vectors (spam, domain registrations, web content, etc.) that you CAN’T see directly. Good services can catch another 10% or more of phishing attacks first and cover overnight and weekend needs.

   React swiftly and decisively to attacks: Time = Money when it comes to a phishing attack. The longer a site remains in place and unblocked, the more direct losses you will suffer. Companies that react quickly to phishing sites often see fewer follow-up attempts.

10. Report to blocking services to keep customers from ever seeing site. The just released Internet Explorer 7 and FireFox 2.0 have extremely effective phishing site blocking capabilities – IF they know about your site! A large and growing number of other tool providers and ISPs are blocking within minutes of a trusted report. You need to report your sites to these services ASAP. Your best bet is a third-party aggregator that has direct pipelines into the various major blocking services. For example, Internet Identity provides this service for free to any financial institution.
11. Get the site down – Use an experienced internal strike team or vendor for fast results: A 24/365 operation is a must since many sites are located overseas and you need to communicate with them during their business hours to get results. The industry average site is down in 5 days (source: APWG) while an experienced team or vendor can usually kill them in under 24 hours – anywhere in the world. By the way, the FBI and law enforcement do NOT as a rule do phishing site take-downs. Reporting to them is a fine idea, but don’t expect them to handle your immediate problem.

    Educate your customers, be smart yourself: While some people will always be fooled by sophisticated, new tactics, being smart about how you do business and keeping your customers informed will keep the majority of your customers out of trouble.

12. Periodically send general information and policies regarding phishing to customers via all mediums and place phishing information prominently on your company website and user login areas. There are lots of free and inexpensive materials available from industry groups and government agencies you can use for this.
13. Standardize outbound messaging and marketing and use good e-mailing tactics to make sure you don’t help train your customers to be phished. For example, minimize the use of links in e-mail and use your own domain names for referenced logins. Also, try to personalize messages so your customers come to expect you to know who they are – the bad guys usually don’t.

There is still more you can and should be doing – multi-factor authentication as required by the FFIEC, for example. However, covering this list should put you into good “fighting shape” for dealing with the phishing attacks that will inevitably hit your institution in the near future.

For a consolidated checklist and more information on these and other tactics, please visit our website (http://www.internetidentity.com). Another great resource for information, peer discussions, and vendors who can help you is the Anti-Phishing Working Group – (http://www.antiphishing.org).