Home » Data Protection » Malware/Cybercrime

Death to Phishing

What happens after a phishing attack? Here's one midsize bank's phishing incident response plan.

Not that bank employees sit around waiting for the news. Sometimes a new phish announces itself violently, as the bank's e-mail servers get pummeled with phishing e-mails that are bouncing back to their apparent originator. But Jones says the best source for finding out about new attacks is neither the vendor nor the company's e-mail servers.

"It's your customers and noncustomers"â¬the e-mail-using publicâ¬"who are going to be the ones that tell you that the phish is out there," she says.
After that first phish, the bank set up one e-mail address where all suspected phishing e-mails are directed. (Typical addresses for this type of account
are fraud@domainname.com and phish@domainname.com.) That way, more of the e-mail's header information is left intact, and no one has to scroll through pages of forwarding information to see the original message.

Situation Management, which deals with any kind of outage or crisis and already had around-the-clock coverage, monitors this inbox. When a possible phish arrives, whoever is on call first looks to see if the phish has already been reported. (An individual phish is identified by its message and the URL to which it points.) If the phish is a new one, it gets assigned a number based on the date and entered into the company's homegrown phishing database. "You see what information they're looking for, if the website is up, screen shots, you name it," says a Situation Management team member.

With the attack logged, the first responder sends an e-mail to the phishing incident response team (PIRT). The PIRT, led by Jones, is the technical group that sprung from that first chaotic conference call it consists of members of the information security and antifraud teams, who on a rotating basis are assigned to "baby-sit" whatever phish are born under their watch. The first responder also e-mails the Tiger Teamâ¬the more strategic response group, also created after that first conference call, which includes the CISO and representation from corporate security and Situation Management. He leaves voice mails for key players, such as the CISO. And, most importantly, he informs Brandimensions, which initiates its takedown processes.

The Takedown

The window of opportunity for a phisher is the time between when a phishing e-mail goes out and when the fraudulent website collecting information is taken down. Left unchecked, a phishing site may stay up for days or even weeks, as information trickles in from dawdling customers who've fallen for the scam. A good takedown process can slam that window shut within hours.