On Tuesday, a consortium of banks published a framework for reducing phishing risks that consumers face. The framework helped three large banks reduce scam reports by an average of 50%, according to the group.
The Financial Services Information Sharing and Analysis Center (FS-ISAC) detailed the framework in
When it released the report, the consortium re-iterated its stance that phishing — like cybercrime and other issues on which the group focuses — is best tackled by the industry collectively, through "shared knowledge and coordinated intelligence," according to Linda Betz, executive vice president of global community engagement at FS-ISAC.
"Phishing has become a global epidemic affecting millions, yet by working together, financial firms can develop highly effective defenses," Betz said in
The chief information security officer at PNC Bank, Susan Koski, endorsed the report, saying the framework provides "concrete steps for helping to reduce phishing incidents" and can help banks adapt to novel phishing strategies.
The four actions against phishing
The report focuses on four essential actions. The first is collecting and sharing intelligence. This involves creating a simple reporting process that customers can use to report phishing attacks quickly and effectively. These processes should ensure the bank obtains key pieces of information about the phishing scam or fraud that affected or threatened the customer — transaction details, email addresses, phone numbers, dates and times of interactions with the scammer, and more.
The second action is educating employees and customers about phishing tactics used against them. The bank can analyze phishing attacks that target its customers to tailor this education to the institution, and it can involve insights gained from phishing analysis shared by FS-ISAC and its members.
The third action is cataloging communication channels. Keeping tabs on what telephone numbers and email domains a bank or its third-party partners use to contact customers directly can ensure the bank takes anti-spoofing measures to protect these channels.
The fourth action is implementing anti-phishing technology, which often involves working with telecommunication companies. As an example, if a bank has a phone number that is only used for inbound calls — never for outbound calls — the bank can register that phone number with Do Not Originate registries, which ensure that telcos that use those registries never transmit calls purporting to come from the numbers in those registries.
Technological solutions to phishing
The report details many technological solutions designed to mitigate phishing, with a focus on how to prevent customers from receiving calls and texts that appear to come from the bank. Betz said this emphasis "underscores the increasing use of these channels to conduct phishing attacks."
While banks cannot control every strategy that scammers use to pretend to be a consumer's bank, there are ways to mitigate the most brazen schemes.
One example of a brazen scheme involves caller ID spoofing, which involves placing a call, and making it look to the recipient as though the call is coming from a phone number used by the bank. As previously mentioned, Do Not Originate registries can mitigate this.
Other technologies for mitigating voice call phishing also exist. STIR/SHAKEN is a framework for authenticating caller ID that the Federal Communications Commission
Besides mitigating spoofed phone calls, banks can also go after websites that target their customers (whether through impersonating the real site or otherwise) by reporting them Google, according to Al Pascual, CEO and co-founder of scam protection service Scamnetic.
Both Google
Many of the standard practices that consumers can practice and banks can recommend to secure accounts also apply, according to Teri Williams, president and chief operating officer of OneUnited Bank. This includes protecting consumer accounts with multi-factor authentication. Indeed, multi-factor authentication is required by both
"Banks can also encourage customers to create push notifications and/or alerts when funds are withdrawn or purchases are made," Williams said. "Although these notifications are 'after the fact,' they can reduce the damage if phishing has occurred."
An abuse box, for consumer reports of phishing
One of the key recommendations in the FS-ISAC paper is that banks ought to create an "abuse box" — a means for consumers to report attempted scams. This could be an online form, a dedicated inbox (such as abuse@bank-website.com), or any other intake method the bank deems appropriate. The bank should then prominently advertise that form or email address so consumers know to report suspicious emails, texts, calls, or other phishing attempts.
The point of the abuse box is to collect phishing reports from consumers in a direct, centralized manner. This provides the bank with intel on threats facing customers, which can then be shared and combined with data from the bank's fraud, cybersecurity, and risk teams as needed.
The FS-ISAC report recommends that banks should "design abuse box infrastructure and training programs that maximize the insights and make it easy to share the information." The data that the bank aggregates between its teams and the information it receives from the abuse box can help it implement "preventative actions," such as the reporting previously mentioned.
