Subject: Customer Identity Theft: E-Mail-Related Fraud Threats
Date: September 12, 2003
Customer Identity Theft: E-Mail-Related Fraud Threats
To: Chief Executive Officers and Chief Information Technology Officers of National Banks, Federal Branches, Service Providers, Department and Division Heads, and Examining Personnel
This alert is intended to raise awareness of an increasingly common Internet fraud called "phishing" and encourages banks to educate their customers, strengthen monitoring systems, and enhance response programs to reduce the potential risk to their organizations and customers.1
The FBI's Internet Fraud Complaint Center (IFCC) reports a steady increase in complaints involving unsolicited e-mails directing consumers to a phony "customer service" Web site or directly asking for customer information. These scams are contributing to a rise in identity theft, credit card fraud, and other Internet-based frauds.2 E-commerce customers, including bank customers, have fallen victim to these scams.
Phishing involves sending customers a seemingly legitimate e-mail request for account information, often under the guise of asking the customer to verify or reconfirm confidential personal information such as account numbers, social security numbers, passwords, and other sensitive information. In the e-mail, the perpetrator uses various means to convince customers that they are receiving a legitimate message from someone whom the customer may already be doing business with, such as a bank. Techniques such as a false "from" address or the use of seemingly legitimate bank logos, Web links, and graphics may be employed to mislead the customer. After gaining the customer's trust, the perpetrator attempts to convince the customer to provide personal information and provides one or more methods for the customer to communicate that information back. For example, the e-mail might include a link to the perpetrator's Web site that contains a form for entering personal information. Like the e-mail, the Web site is designed to trick the customer into believing it belongs to the bank. Alternatively, the e-mail might simply include an embedded form for the customer to complete. The ultimate goal of this fraud is to use the customer information to gain unauthorized access to a customer's bank or financial accounts or to engage in other illegal acts.
Risk Mitigation for E-mail-Related Frauds
Banks should implement appropriate controls consistent with the security process described in the Federal Financial Institutions Examination Council's (FFIEC) "Information Security Booklet." Management should consider the following actions to help prevent, detect, and respond to the threat from e-mail-related frauds:
In the event your institution is a victim of an e-mail-related scam, you should promptly notify your OCC supervisory office. As appropriate, you should also report the event to law enforcement by filing a Suspicious Activity Report.
Questions regarding this alert should be directed to Clifford A. Wilke, director for Bank Technology Policy at (202) 874-5920 or email@example.com.
Ralph E. Sharpe
1 Refer to the FFIEC Information Technology Examination Handbook's "Information Security Booklet" located at www.ffiec.gov.
2Federal Bureau of Investigation Press Release, "FBI Says Web 'Spoofing' Scams are a Growing Problem", July 21, 2003.
3Refer to OCC Advisory Letter 2001-8, "Authentication in an E-Banking Environment."
4Refer to OCC Alert 2000-9, "Protecting Internet Addresses of National Banks."