After Home Depot’s massive data breach earlier this year the company is warning consumers to be on guard against phishing scams. With 53 million email addresses stolen as part of the breach, there is a high probability that cybercriminals will use these emails to dupe consumers into giving them their online banking credentials or other personal information.
Cybercriminals use a variety of tactics to obtain information used in account takeover attacks including phishing, vishing and SMiShing. A recent study by Google found phishing emails to be surprisingly effective. With the news of the massive number of email addresses stolen, consumers are going to have to elevate suspicions when monitoring emails.
Who’s at risk?
Consumers are at risk as it will be their accounts and personal information that will be stolen if cybercriminals gain access to their accounts. It will be up to the consumer to update their account records, keep a close eye on transactions, and alert their financial institutions if they see any suspicious account activity. If accounts are taken over, consumers will have to deal with the ramifications. Recovering funds and dealing with the aftermath of an account that has been taken over is a laborious process that could have ripple effects for years to come, including impact on credit and identity theft.
Financial institutions will bear the brunt of the financial impact associated with any successful phishing or other cybercrime campaigns. By law, financial institutions are required to replace any stolen funds from a consumer’s account. Because of the large number of email addresses stolen, it is difficult to predict how much money could be defrauded due to this one attack. However, account takeover theft increased 69% between 2011 and 2012 and accounted for $69 billion in fraud losses. According to Julie Conroy of Aite Group, even with investments in authentication and fraud monitoring tools, “We’re not decreasing account takeover at all.”
Today, many of the larger banks, credit unions, and other financial institutions have data breach and account takeover response plans in place. These plans range from internal teams having full responsibility for monitoring and attack site shut down to outsourcing those functions to a hybrid approach. These plans are designed to minimize the financial (and brand) impact of attacks targeting their customers and members. However, small and mid-sized community and regional financial institutions are just as likely to be targeted by cybercriminals as the larger organizations. This is because the bigger organizations have deployed measures to minimize the impact of account takeover type attacks. The smaller and mid-sized financials tend to lose more money on a per customer basis because they typically are either not prepared or are unfamiliar with the steps needed to mitigate the attacks targeting their customers or members.
What financial institutions should do:
- Educate consumers about the existing threat – include in customer newsletters or post on banking websites.
- Make sure customers know how to spot suspicious activity (emails, phone calls or text messages).
- Have a phishing, vishing, and SMiShing attack response plan. It is critical to respond quickly to attacks to minimize the immediate impact.
- Ensure an “abuse box” email account (such as firstname.lastname@example.org) is known to customers and monitored in real-time.
Protect your financial institution from account takeover attacks. Join us for a live webinar on November 18, 2014 and learn more about Powerful Strategies for Account Takeover Fraud Prevention.
During the webinar participants will learn:
- How fraudsters hijack accounts and circumvent common anti-fraud controls.
- Why current measures are ineffective at stopping ATO fraud.
- New strategies to go beyond authentication to fight and prevent online fraud.
You may also be interested in our Combating Account Takeover whitepaper.