Cyber criminals use phishing to go after personal information such as an account number, password, username or social security number and use that information to take control of your account. Phishing attacks are cheap, easy to execute, and difficult to stop. In 2015, we analyzed more than one million confirmed malicious phishing sites that resided on over 130,000 domains, and we shut down more than 6,000 phishing attacks every month. But online fraud isn’t limited just to phishing. There are a multitude of other techniques cybercriminals also use to take over accounts and carry out fraud, including phone scams, malicious mobile apps, text message scams, and – of course – malware.
FFIEC Guidance on fraud prevention is a good place to start but it is not enough to protect against these attacks. Financial fraud techniques are continuing to become more sophisticated, but the authentication and transaction monitoring capabilities put in place by financial institutions are not sufficient to protect their customers and their reputations from ATO threats. These types of defensive tactics just inspire the creativity of the attackers. Financial institutions need to go on offense.
Get engaged in the battle with cybercriminals by taking a more proactive approach that goes beyond FFIEC compliance, authentication, and transaction monitoring. Financial institutions of any size can no longer afford to limit their focus on internal controls for their institutions. They need to shift attention outward and help protect customers from the attacks that steal their credentials and enable account takeover. “But how can I do that?” you may ask. Good question!
The first step is to get visibility into the cybercrime attacks that are targeting your customers. At a minimum, make it easy for customers to report suspicious emails, text messages, phone calls, etc. and have procedures in place for those reports to be quickly handled. There are also services (like those PhishLabs provides) that detect these attacks “in-the-wild” by analyzing massive volumes of spam, malware, and website data.
Having visibility into these attacks allows you to respond and rapidly shut them down. For example, it’s possible to have phishing sites taken offline by working with the appropriate service providers, domain registrars, and website administrators. Once taken offline, potential victims will no longer be able to access the phishing site and divulge their credentials.
However, cybercriminals can easily replace websites, phone numbers, and hosts to resume their attacks. Taking down these components is not enough. They’re just the tip of the iceberg, with an entire ecosystem of infrastructure, services, and tools that cybercriminals depend on to profit from their attacks. Cybercriminals need locations to send and store stolen data (called “data drops”). They need phishing and malware kits to make deploying attacks easy. They need to be able to distribute their attacks at scale. And they need to be able to monetize the stolen data.
Disrupting this ecosystem not only makes it more difficult to carry out future attacks, it also takes away their profits. When they don’t make money, they move on to other targets.
Given the increasing risks, consequences and costs associated with account takeover attacks, and the growing proliferation of cheap and easy phishing techniques employed by cybercriminals, financial institutions of all sizes need to evaluate current anti-fraud strategies. If you seek security via FFIEC compliance, you may find your institution at greater risk than you realize. Adding layers of authorization and transaction technology can be a substantial drain on resources while delivering only a temporary reprieve. You must go on the offensive.
Read more about ATO|Prevent from PhishLabs - a solution banks and credit unions should consider when evaluating ways to engage in the fight against account takeover threats.