When a bank gets "phished" or "pharmed," what's next?
The Office of the Comptroller of the Currency (OCC) has issued guidance on how banks should mitigate risks to themselves and to customers from "Web-site spoofing," and how to help law enforcement authorities with their investigations.
Following are some of the takeaways from the OCC guidance.
First, the procedures that a bank should establish in advance of a spoofing incident:
- Assign certain bank employees responsibility for responding to an incident.
- Determine incident response protocol with outsourcing vendors, and integrate their procedures with internal procedures.
- Establish contacts with FBI and local law enforcement authorities in advance of any spoofing incident.
- Use customer education programs, such as statement stuffers and Web-site alerts, to explain Internet-related scams and safe computing practices.
Best practices in incident detection and information gathering:
- Monitor returned e-mail, Web-server logs, and call center traffic for indicators of spoofing attacks.
- Search the Internet for unauthorized identifiers associated with the bank.
- Provide telephone contact numbers for customers to report phishing incidents.
- Collect information about spoofing incidents, including how it was discovered, copies of the e-mail received, IP address for the spoofed sites, the Web-site address and registration information, and the geographic locations of the IP address.
Finally, the key steps to take in response to an incident:
- Communicate promptly with the ISP hosting the fraudulent Web site.
- Contact the domain name registrars.
- Obtain a subpoena to identify the owners of the domain from the ISP.
- Work with law enforcement and other anti-phishing channels.
Read the full OCC bulletin.