I. INTRODUCTION
In order to provide further guidance to financial institutions on how to respond to incidents of website spoofing from fraudulent websites, the Office of the Comptroller of the Currency (OCC) issued OCC Bulletin 2005-24 (July 1, 2005). The Bulletin discusses procedures that institutions may implement to mitigate their own risks and risks to customers by detecting and responding to website spoofing. The Bulletin also identifies the kind of information institutions may give to law enforcement in order to assist in an investigation of such illegal activities. While the Bulletin expands upon OCC Alert 2003-11 (September 12, 2003), entitled “Customer Identity Theft: E-mail-Related Fraud Threats”, it is a useful publication for all financial institutions as a guidance on how to address website spoofing issues.
The OCC Bulletin defines website spoofing as “a method of creating fraudulent websites that look similar, if not identical, to an actual site, such as that of a bank.” A customer will be directed to these spoofed websites through “phishing” or “pharming schemes.” Typically, phishing is sending e-mails to consumers that direct them to provide confidential information at a spoofed website and pharming directs customers to a spoofed website rather than the actual website. When a customer gets to the spoofed website, the person is asked to submit information (e.g., internet banking username and password, credit card information or other information allowing a fraudster to use the customers’ accounts to commit fraud or steal the customers’ identities.) Spoofing exposes a financial institution to strategic, operational and reputational risks; jeopardizes customer privacy; and exposes an institution and its customers to financial fraud risks.
II. PROCEDURES TO ADDRESS SPOOFING AND MITIGATE RISKS
Website spoofing risks may be mitigated by implementing “identification and response procedures” that are discussed in the Bulletin. Also, spoofing incidents may be minimized if designated employees are trained appropriately and assigned responsibility to respond to incidents. If internet activities are maintained by a third party provider, a financial institution may address risk concerns by contracting with the provider any appropriate procedures for detecting and reporting spoofing incidents. The Bulletin advises that a service provider’s response process must be integrated with an institution’s own internal procedures.
Response procedures may also be improved by establishing contacts with the FBI and local law enforcement (involving departments and officials responsible for investigating computer security incidents)before a spoofing incident occurs. Such procedures should include appropriate time frames to seek law enforcement involvement and taking note of the nature and type of information and resources that may be available to an institution, as well as the ability of law enforcement to act rapidly to protect the institution and its customers. Customer education programs should also be used to minimize some spoofing attack risks, (e.g., statement stuffers, website alerts on internet-related scams, such as fraudulent e-mails and website phishing attacks). Since some attacks may exploit web browser or operating system vulnerabilities, customers should be reminded of the importance of safe computing practices.
III. DETECTION AND INFORMATION GATHERING
Website spoofing detection may be improved if an institution monitors appropriate information available, using the following list of possible indicators:
Spoofing can also be detected by searching the Internet for identifiers associated with the institution, (e.g., name of a company or institution.) Search engines and other tools are available to monitor websites, bulletin boards, news reports, chat rooms, newsgroups and other forums to identify usage of a specific company or financial institution name. Searches may find recent registrations of domain names similar to an institution’s domain name (See, OCC Alert 2000-9, “Protecting Internet Addresses of National Banks”, July 19, 2000). Monitoring may be done in-house or an institution can contract with third parties for such services.
Customers and consumers can also advise an institution about web spoofing and to assist any detection, an institution should provide prominent links on its web pages or telephone contact numbers so that persons can easily report phishing or other fraudulent activities. Customer-service personnel should be trained to identify and report such notices or calls.
If an institution finds that it is the target of a spoofing incident, it should collect available information that will help to identify and shut down the fraudulent website, determine if customer information has been obtained and assist law enforcement with an investigation. The Bulletin provides a list of useful information to collect with the assistance of information technology specialists or service providers:
IV. SPOOFING INCIDENT RESPONSE
For an effective response to spoofing incidents, the Bulletin calls for established structured and consistent procedures that are designed to close fraudulent sites, obtain identifying information from a spoofed website to protect customers and preserve evidence for any law enforcement investigation. Steps to disable a spoofed website and recover customer information (some of which requires the assistance of legal counsel) include:
Note: The Digital Millennium Copyright Actof 1998, found at 17 U.S.C. § 512(h) (2003), allows a firm to request a U.S. district court clerk to issue an administrative subpoena to an ISP to compel it to disclose the identity of an ISP’s subscriber who is allegedly infringing on the name or trademark of the firm (procedure also allows financial institutions to request confiscation of servers that may contain illegally obtained customer account information).
Other actions and types of legal documents may be used in response to a spoofing incident:
NOTE: The ACCPA provides for prompt injunctive relief without the need to demonstrate a similarity or likelihood of confusion between the goods or services of the parties.
V. CONTACT THE OCC AND LAW ENFORCEMENT AUTHORITIES
An institution that is the target of a spoofing incident should promptly notify its primary federal regulatory agency and report the incident to the FBI, appropriate state and local law enforcement authorities. A Suspicious Activity Report (SAR) must be filed for computer intrusions and other computer crimes [e.g., see 12 C.F.R. 21.11, OCC Bulletin 2000-14, Infrastructure Threats – Intrusion Risks (May 15, 2000) and Advisory Letter 97-9, Reporting Computer Related Crimes(November 19, 1997)]. An institution may also file complaints with the Internet Fraud Complaint Center (See, http://www.ic3.gov/default.aspx), which is an FBI and National White Collar Crime Center partnership.
As previously noted in Paragraph III of this article, law enforcement authorities will need information and other computer-related data identify to shut down a fraudulent website and to investigate and apprehend persons responsible.
See http://www.consumer.gov/idtheft for additional information on how the FTC may assist in combating phishing and spoofing.