New Phishing Scam Uses FFIEC Guidelines As Subject Medium

The usual assessors of 'compliance regulations' are the 'Chief Security Officers' (CSOs) and 'governance officers'. But now 'phishers' are also making themselves 'governance savvy'. They practice sending unauthorized e-mails posing to inform customers about new guidelines for financial organizations.

Phishers are circulating spam mails asking their victims to submit information into their bank or credit union's 'new dual authentication solution' purporting to protect their online banking activities against fraud. The 'phishing' scam targets the institution's customers through a fake e-mail tricking them to surrender their account number and pin intending to register for their 'dual authentication code and phrase'. The e-mail tries to convince them that this is necessary to conduct the customers' online banking as per the directions of the FFIEC (Financial Institutions Examination Council).

According to Erik Petersen, 'vice president of professional services' for 'SecureWorks security services', "scammers' have created the spoofs very cleverly. They seem to understand the working of the federal agency's supervisory functions on banking and financial institutions. They are, therefore, using that knowledge to exploit the banks as well as the customers". Petersen warns the client about the high success rate of this scam, i.e., it would get people to submit their credentials.

In October 2005, the FFIEC published a set of guidelines for banks and credit unions to authenticate their Internet banking users. It would confirm the identity of the user; help tackle 'new or different risks' such as 'phishing', 'pharming', 'malware' and other sophisticated techniques of compromise.

These guidelines are not meant to be regulations because they provide flexibility to financial firms in deciding what levels of authentication they want to place on existing systems. Nevertheless, FFIEC expects the firms to implement 'high risk assessment' and 'risk mitigation' features by end 2006. Accordingly, security firms require banks to conduct and document a ' risk assessment' to employ effective 'authentication strategies'. These strategies need to be on the basis of the risk attached to the products and services they produce online.

Petersen considers this phishing scam quite ironic, given that the phishers manipulated the very 'dual authentication guidance' that aims to protect online banking from fraud.

Related article: New Zealand Releases Code To Reduce Spam

» SPAMfighter News - 12/2/2006