DEAR BOARD OF DIRECTORS:
In our Letter to Credit Unions #04-CU-12 Phishing Guidance for Credit Union Members, we highlighted the need to educate your membership about phishing activities. As the number and sophistication of phishing scams continues to increase, we would like to emphasize the importance of educating your employees and members on how to avoid phishing scams as well as action you and/or your members may take should they become a victim.
Appendix A of this document contains information you may share with your members to help them from becoming a victim of phishing scams. Appendix B contains information you may share with your members who may have become a victim of phishing scams.
Phishing is a form of social engineering, characterized by attempts to fraudulently acquire sensitive information, such as passwords, account, credit card details, etc. by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an e-mail or an instant message. Often the message includes a warning regarding a problem related to the recipient’s account and requests the recipient to respond by following a link to a fraudulent website and providing specific confidential information. The format of the e-mail typically includes proprietary logos and branding, such as a “From” line disguised to appear as if the message came from a legitimate sender, and a link to a website or a link to an e-mail address. All of these features are designed to assure the recipient that the e-mail is from a legitimate business source when in fact, the information submitted will be sent to the perpetrator.
- Phishing can take many forms such as:
- Deceptive Phishing;
- Malware Phishing;
- key loggers and screen loggers
- session hijackers
- web trojans
- hosts file poisoning
- system reconfiguration attacks
- data theft
- Domain Name System (DNS) Phishing (commonly referred to as Pharming);
- Content-Injection Phishing;
- Man-in-the-Middle Phishing; and
- Search Engine Phishing.
Each of the above phishing techniques is described in detail in the Identity Theft Technology Council’s1 (ITTC) whitepaper, Online Identity Theft: Technology, Chokepoints and Countermeasures. The whitepaper also includes specific action credit unions may take to reduce the chance of being phished as well as steps to take should your credit union become a target of phishing. The whitepaper is available for download from Anti-Phishing Working Group’s (APWG)2 website at: http://www.antiphishing.org/Phishing-dhs-report.pdf.
As of August 2005, the APWG reported that the financial services industry continued to be Most Targeted Industry Segments the most targeted industry sector staying steady at nearly 85% of all attacks. In addition, the APWG is seeing a wide diversity of brands being spoofed and very small financial institutions all over North America and Western Europe are steadily appearing as phishing targets.
Prevention and Mitigation
Credit union member education and staff training are important tools you can use to combat e-mail frauds such as phishing. Appendix A to Part 748 of the NCUA Rules & Regulations contains guidelines designed to ensure the security and confidentiality of member information; protect against any anticipated threats or hazards to the security or integrity of such information; protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any member; and ensure the proper disposal of member information. Credit unions should consider implementing the following measures as appropriate:
- Implement a policy that your credit union will not solicit confidential or sensitive member information via e-mail and inform members of the policy on a periodic basis.
- Provide a notice3 to your credit union members describing your security policies and practices including the role the member can play in protecting his or her own information.
- Include a security-related page4 on your website to educate members about phishing and other fraudulent activities.
- Adopt a policy to personalize e-mails to members using their names in the message, and inform members of this policy5.
Keep abreast of advances in technology designed to protect member information and reduce e-mail fraud, and take advantage of those that are effective and practical for your credit union. For example, if your credit union provides highrisk Internet based services, you should consider using multifactor authentication techniques (see NCUA Letter to Credit Unions #05-CU-18 Guidance on Authentication in Internet Banking Environment for detailed information on multifactor authentication).
- Apply system (hardware and software) patches and upgrades on a timely basis.
- Maintain information security procedures in accordance with current industry best practices and regulatory guidance (see Additional References section).
- Keep website certificates6 current and educate members how to verify that the pages they are viewing are actually those of your credit union.
- Design educational popup messages7 to appear occasionally when a member logs in or views certain pages.
- Train security and service staff regarding your policies and procedures for protecting member information, including those concerning phishing and other forms of e-mail fraud, so they are sensitive to member comments and informed of the appropriate actions to take.
If you become aware of actual phishing incidents using your credit unions’ name, logo, graphics, etc. attempting to solicit information from your members (also known as “spoofing”), you should consider taking the following actions as appropriate:
- Post a prominent alert notice8 on your website’s homepage and login screen.
- Contact members directly by mail and/or e-mail providing them with the information noted above.
- Monitor member accounts for unusual activity and trends.
- Flag and monitor closely the accounts of members who report that they have fallen victim to a phishing or similar e-mail scam.
- Alert your staff to the incident so that they are sensitive to the situation and report activity such as unusual address change requests, account transactions, or new account activity.
- Encourage members who believe that they have been a victim of the phishing scam to follow the recommendations published in the brochure, You Can Fight Identity Theft, outlining steps members should take to reduce the risk of identity theft.
A “camera-ready” version of the brochure is available on the NCUA Website at (opens new window) for downloading and copying. For credit unions that do not have access to the Internet, limited copies of the brochure can be obtained directly by contacting:
National Credit Union Administration
Office of the Chief Financial Officer – Division of Procurement and Facilities Management
1775 Duke Street
Alexandria, VA 22314
Telephone: (703) 518-6340
You should report incidents of phishing and other e-mail fraud attempts that target your credit union to the link provided in the NCUA Website (“Internet/E-Mail Fraud Alert”).
If you have any questions or concerns, please contact your NCUA Regional Office or State Supervisory Authority.
JoAnn M. Johnson
Chairman, National Credit Union Administration Board
1Members of the Identity Theft Technology Council represent a public-private partnership between the U.S. Department of Homeland Security (DHS), Science and Technology Directorate (S&T), SRI International, the AntiPhishing Working Group, and private industry
2The Anti-Phishing Working Group is an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing. The organization provides a forum to discuss phishing issues, define the scope of the phishing problem in terms of hard and soft costs, and share information and best practices for eliminating the problem. Membership is open to qualified financial institutions, online retailers, ISPs, the law enforcement community, and solutions providers. There are more than 1300 companies and government agencies participating in the APWG and more than 1900 members.
3This notice should include information to make members aware of fraudulent activities and scams that can be carried out using e-mail, the Internet, and other communication channels. The notice should also describe what the member should do if they suspect they are the targets of one of these schemes. The security policies and the notification to customers should include specifics regarding what information you will not request from members via e-mails, telephone, or other communication methods. With this information, your members will be more alert to suspicious e-mails. This notice may appear on monthly statements, the credit union’s website, and other periodic communications
4The page might include information about known frauds and instructions on what members should do if they identify or suspect one. An effective practice is to place a prominent link or button on each page of your website that will direct the reader to the security page.
5Perpetrators often use mass-mailing programs to send “spam’ e-mails to many recipients using a non-personalized greeting such as “Valued Member” or “To Whom It May Concern”. Instruct members not to respond to such emails and to notify you if they receive any e-mails purporting to be from your credit union that do not include this personalization.
6If an organization wants to have a secure web site that uses encryption, it needs to obtain a site, or host, certificate. Some steps you can take to help determine if a site uses encryption are to look for a closed padlock in the status bar at the bottom of your browser window and to look for " " rather than " " in the URL. By making sure a web site encrypts your information and has a valid certificate, you can help protect yourself against attackers who create malicious sites to gather your information. If a web site has a valid certificate, it means that a certificate authority has taken steps to verify that the web address actually belongs to that organization. When you type a URL or follow a link to a secure web site, your browser will check the certificate for the following characteristics: (1)the web site address matches the address on the certificate; and (2)the certificate is signed by a certificate authority that the browser recognizes as a "trusted" authority. There are two ways to verify a web site's certificate. One option is to click on the padlock in the status bar of your browser window. However, your browser may not display the status bar by default. Also, attackers may be able to create malicious web sites that fake a padlock icon and display a false dialog window if you click that icon. A more secure way to find information about the certificate is to look for the certificate feature in the menu options. This information may be under the file properties or the security option within the page information. You will get a dialog box with information about the certificate, including the following: (1)Who issued the certificate-You should make sure that the issuer is a legitimate, trusted certificate authority (you may see names like VeriSign, thawte, or Entrust); (2)Who the certificate is issued to-The certificate should be issued to the organization who owns the web site. Do not trust the certificate if the name on the certificate does not match the name of the organization or person you expect; and (3)Expiration date-Most certificates are issued for one or two years. One exception is the certificate for the certificate authority itself, which, because of the amount of involvement necessary to distribute the information to all of the organizations who hold its certificates, may be ten years. Be wary of organizations with certificates that are valid for longer than two years or with certificates that have expired.
7Possible messages subjects include how to identify a phishing attack, how to avoid the consequences, how to report attacks to you, and how to get to the security section of the website.
8The notice should relate the details of the phishing incident so the reader will be able to recognize it and know not to respond to it or other e-mail requests of this type. The notice should also reiterate your credit union’s security policies and practices and indicate how to identify legitimate communications from your credit union. Finally, the notice should include a point of contact should the member need more information or wish to report that they have been a victim of the scam.