An official website of the United States government
Parts of this site may be down for maintenance Saturday, November 23, 7:00 p.m. to Sunday, November 24, 9:00 a.m. (Eastern).
Alert 2003-11 | September 12, 2003
Share This Page:
Chief Executive Officers and Chief Information Technology Officers of National Banks, Federal Branches, Service Providers, Department and Division Heads, and Examining Personnel
This alert is intended to raise awareness of an increasingly common Internet fraud called "phishing" and encourages banks to educate their customers, strengthen monitoring systems, and enhance response programs to reduce the potential risk to their organizations and customers.1
The FBI's Internet Fraud Complaint Center (IFCC) reports a steady increase in complaints involving unsolicited emails directing consumers to a phony "customer service" website or directly asking for customer information. These scams are contributing to a rise in identity theft, credit card fraud, and other Internet-based frauds.2 E-commerce customers, including bank customers, have fallen victim to these scams.
Phishing involves sending customers a seemingly legitimate email request for account information, often under the guise of asking the customer to verify or reconfirm confidential personal information such as account numbers, social security numbers, passwords, and other sensitive information. In the email, the perpetrator uses various means to convince customers that they are receiving a legitimate message from someone whom the customer may already be doing business with, such as a bank. Techniques such as a false "from" address or the use of seemingly legitimate bank logos, Web links, and graphics may be employed to mislead the customer. After gaining the customer's trust, the perpetrator attempts to convince the customer to provide personal information and provides one or more methods for the customer to communicate that information back. For example, the email might include a link to the perpetrator's website that contains a form for entering personal information. Like the email, the website is designed to trick the customer into believing it belongs to the bank. Alternatively, the email might simply include an embedded form for the customer to complete. The ultimate goal of this fraud is to use the customer information to gain unauthorized access to a customer's bank or financial accounts or to engage in other illegal acts.
Banks should implement appropriate controls consistent with the security process described in the Federal Financial Institutions Examination Council's (FFIEC) "Information Security Booklet." Management should consider the following actions to help prevent, detect, and respond to the threat from email-related frauds:
Prevention
Detection
Response
In the event your institution is a victim of an email-related scam, you should promptly notify your OCC supervisory office. As appropriate, you should also report the event to law enforcement by filing a Suspicious Activity Report.
Questions regarding this alert should be directed to Clifford A. Wilke, director for Bank Technology Policy at (202) 874-5920 or clifford.wilke@occ.treas.gov.
Ralph E. Sharpe Deputy Comptroller for Technology
1Refer to the FFIEC Information Technology Examination Handbook's "Information Security Booklet" located at www.ffiec.gov.
2Federal Bureau of Investigation Press Release, "FBI Says Web 'Spoofing' Scams are a Growing Problem", July 21, 2003.
3Refer to OCC Advisory Letter 2001-8, "Authentication in an E-Banking Environment."
4Refer to OCC Alert 2000-9, "Protecting Internet Addresses of National Banks."