Phishing and fraud make use of constantly evolving techniques: Yesterday's poorly written e-mail is today's polished con, often making use of unpatched vulnerabilities, Web site spoofing and other subtle techniques average users aren't likely to detect. This evolution has ramifications across the board for security, including planning strategy.
How can your enterprise prepare?
Elazar Katz, director of the Active Risk Monitoring Practice at Blue Bell, Penn.-based Unisys Corp. says many financial institutions use technologies that deal poorly with large-scale attacks. He recommends IT security managers approach the problem by considering fraud detection as a risk management ecosystem where transactions are monitored in real-time across channels for atypical usage patterns and known fraud scams. Findingsg are then shared between detection systems, and the strategy of each system continuously adapts to the situation.
Katz said that to address the risks of the online channel, a multi-layer defense approach makes the most sense. "One layer would focus on detecting the phishing attack itself, the next would monitor for suspicious online intelligence-gathering sessions, and the last would focus on detecting the counterfeit check itself. This approach would be particularly effective if the various layers could communicate and alert each other of incoming fraud scams."
Consider asking: "How will my bank fare if someone launched a fraud virus or other large-scale fraud attack against my institution? How quickly will my bank become aware of the problem? How rapidly will I be able to identify and block affected accounts?" says Katz. "Asking these questions may reveal significant weaknesses in current systems."
Katz suggests the following mitigations for Check 21 threats:
- Analyze Internet log-ins for suspicious indicators
- Communicate suspicions to the check-fraud system
- Mask high-risk components of the check image
- Recognize the limitations of using check amount and frequency as fraud indicators
- Implement dynamic detection strategies that change based on risk conditions
- Make effective use of the hidden components within your image analysis system
- Use advanced character recognition techniques to provide additional context
- Profile payees for suspicious payee concentrations
- Implement automated procedures for rapid identification of other affected accounts
- Automate the blocking of accounts and devices for rapid response.
Enterprises of all types can proactively protect their company and their brand by defining consistent policies for contacting customers via e-mail that are clearly communicated to employees and customers. Set up a point of contact where customers can report fraud.
In a recent interview, Vincent Weafer, senior director of Symantec Security Response, also suggested: "Enterprises should look into setting up 'honeypot' e-mail accounts to trace phishing attacks that use the company's name. In the event that a phishing attack is discovered, enterprises should immediately notify authorities and customers. If a Web site is involved, they should request that the host ISP remove the site."
U.S.-based enterprises can contact their local FBI office or FBI Internet Fraud Complaint Center and the Federal Trade Commission. Companies in other countries can contact the national law enforcement agency that manages consumer fraud.