Home » Data Protection » Malware/Cybercrime

Death to Phishing

What happens after a phishing attack? Here's one midsize bank's phishing incident response plan.

When the possibility of a phishing attack was theoretical, it didn't seem that this part of the response would be very complicated. "It's easy for management, who is more removed from the clientele base, to say, &lsquoIf this occurs, we're going to do ABC. For every client that we know [was affected], we're going to shut down all those accounts, and we're going to replace them,'" Miller says. "But then the reality hits."

That first attack opened the floodgates. Over the next months, Bank XYZ was hit again and again, up to dozens of times a day. Sometimes the attacks were copycat phishes, launched after a tool kit, complete with templates, was released into the phishing community. (This sharing practice gains the original phisher credibility among his cohorts, while also throwing law enforcement off his track.) But other times the phishing attacks were unique. Bank employees came to realize that they were facing a maddening series of "what if" scenarios.

If the customer gave up only her ATM card and PIN, was it safe for the bank just to reissue an ATM card? If a customer gave up his banking log-on information, did all his account numbers need to change? If a customer gave up her Social Security number at a phishing site with Bank XYZ's logo, how proactive should the bank be about counseling the customer on identity theft? And how, by the way, could the call center realistically provide coverage during the deluge of calls caused by a phishing attack?

"For every phone call that you take, there's a reaction that has to occur," Miller points out. "Accounts don't just close themselves. That's a time-consuming process." It's also an expensive one: The TowerGroup estimates that replacing a single ATM card costs about $7.50.

It took months to work out the resulting procedures. For instance, the bank eventually decided to have the call center handle initial account changes, but to have someone from the fraud department follow up with customers within 24 hours, for further counseling and investigation. Another policy: When online banking information was divulged, before changing all the customer's account information, the bank would look at recent account activity and try to determine what information had been accessed.

Of course, all of this begged a larger question: Who wasn't calling? Which customers hadn't realized they'd been duped? Answers,
occasionally, came in an unexpected gift. Sometimes, either the vendor or members of the fraud department were able to exploit a vulnerability in a phishing website that allowed them to actually see which customers had entered account information, put a hold on those accounts, and contact the customer to get the account information changed.