INFORMATION SYSTEM SECURITY: SAFEGUARDING CUSTOMERS AGAINST E-MAIL & INTERNET-RELATED FRAUDULENT SCHEMES

I.         INTRODUCTION

On March 12, 2004, the FDIC issued a Guidance on Safeguarding Customers against E-Mail and Internet-Related Fraudulent Schemes (FIL-27-2004) to alert financial institutions to the increasing prevalence of e-mail and Internet-related fraudulent schemes that are aimed at financial institution customers. The guidance describes particular schemes and how institutions may assist in protecting their customers from becoming victims of such schemes.

II.        SUMMARY OF GUIDANCE

According to the FDIC’s Guidance on Safeguarding Customers against E-Mail and Internet-Related Fraudulent Schemes(FIL-27-2004), typical schemes involve the use of seemingly legitimate e-mail messages and Web sites to deceive consumers into disclosing sensitive information, e.g., bank account information. The perpetrator’s goal includes gaining access to financial accounts, committing identity theft or other illegal acts. Financial institution customers that provide confidential information to criminals engaged in e-mail and internet-related fraudulent schemes face immediate risk. The guidance states that “criminals will normally act quickly to gain unauthorized access to financial accounts, commit identity theft or engage in other illegal acts before the victim realizes the fraud has occurred and takes actions to stop it.” If a financial institution has been impersonated or “spoofed,” that institution is subject to a risk of its reputation, as customers and potential customers may attribute the activity to a weakness in the institution's ability to conduct business securely and responsibly.

III.       CUSTOMER EDUCATION INITIATIVES

The guidance suggests that financial institution customers should be educated about prevalent or new e-mail and internet-related fraudulent schemes, e.g. “phishing,” and how to avoid such schemes. Statement stuffers and web site notices may convey messages, such as the following that are listed in the guidance:

  • A financial institution’s web page should never be accessed from a link provided by a third party, but only be accessed by typing the web site name, or URL address, into the web browser or by using a “book mark” that directs the web browser to the financial institution’s web site.
  • A financial institution should not be sending e-mail messages that request confidential information, e.g., account numbers, passwords or PINs and its customers should be reminded to report any such requests to the institution.
  • Financial institutions should maintain current web site certificates and describe how the customer can authenticate the institution’s web pages by checking the properties on a secure web page.

Financial institutions may refer customers to or use resources distributed by the Federal Trade Commission (FTC) to explain the red flags and risks of phishing and identity theft, including the following FTC brochure: How Not to Get Hooked by the ‘Phishing’ Scam (published July 2003 and available at http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt127.shtm).

IV.       MITIGATION OF RISKS

The FDIC also advises that in mitigating risks associated with e-mail and Internet-related fraudulent schemes, financial institutions should implement appropriate information security controls as described in the FFIEC “Information Security Booklet.” Specific actions included in the guidance are:

  • Improving authentication methods and procedures to protect against the risk of user ID and password theft from customers through e-mail and other frauds (See also, FDIC FIL 69-2001, Authentication in an Electronic Banking Environment which is covered in a separate article in the NBA Compliance Handbook, Volume I, Bank Security Section);
  • Reviewing and, if necessary, enhancing practices for protecting confidential customer data;
  • Maintaining current web site certificates and describing how customers can authenticate the financial institution’s web pages by checking the properties on a secure web page;
  • Monitoring accounts individually or in the aggregate for unusual account activity such as address or phone number changes, a large or high volume of transfers and unusual customer service requests;
  • Monitoring for fraudulent web sites using variations of the financial institution’s name;
  • Establishing a toll-free number for customers to verify requests for confidential information or to report suspicious e-mail messages; and
  • Training customer service staff to refer customer concerns regarding suspicious e-mail request activity to security staff.

V.        REPORTING FRAUDULENT ACTIVITIES

The guidance advises that a financial institution should promptly notify its FDIC Regional Office and appropriate authorities if an e-mail or Internet-related fraudulent scheme is detected. In addition, a financial institution should also report the incident to the appropriate law enforcement agencies and file a Suspicious Activity Report. Any information about possible fraudulent schemes may also be forwarded to the FDIC’s Special Activities Section, 550 17th Street, N.W., Room F-4040, Washington, D.C. 20429 or transmitted electronically to alert@fdic.gov.

Compliance Handbook Search

STAY CONNECTED

Nebraska Bankers Association

233 South 13th Street, Suite 700
Lincoln, NE 68508
402-474-1555
​Digital Millennium Copyright Act Policy