Home » Data Protection » Malware/Cybercrime

Death to Phishing

What happens after a phishing attack? Here's one midsize bank's phishing incident response plan.

One quiet Monday in July 2004, at the height of the summer vacation season, a call center representative at a midsize U.S. financial institution answered a peculiar call.
The customer on the line was suspicious of an e-mail she had received from the bank.

The e-mail contained a link to a website where the customer was asked to enter her debit card number, card expiration date, PIN and e-mail address. But the message was full of typos and grammatical errors, and it didn't seem quite right for the bank to request that information.

The call set off a confused chain reaction. The customer forwarded the e-mail to the call center representative, who forwarded it to the call center manager. The manager sent it to someone in the online banking department, who forwarded it to her upper management and to the corporate security department. By the time the e-mail made its way to information security, there were several screens of forwarding information above the original message.

Of course, you've figured out that the e-mail was not from the bank at all, nor was the first curious caller its only recipient. The e-mail was a crude phishing attack. At bank headquarters, chaos erupted. The call center was slammed with inquiries from customers who had submitted their information to the fake website, then had misgivings and picked up the phone.

As word of the spoofed e-mail and website spread throughout the bankâ¬we'll call it Bank XYZ, which agreed to share its story on the condition of anonymityâ¬one frantic phone call led to another. What could the bank do? Employees couldn't send customers an e-mail that would only confuse matters. They didn't want to issue a public statement that might cause panic. And they had no idea how many customers might have responded to the message but not called the bank. Within hours, the groups involved gathered on a conference line.

"You just want to put me back in that nightmare, don't you?" says information security analyst Tricia Jones (all bank employee names in this article are pseudonyms), when asked about the call. Roughly 25 or 30 people were on the line. They ranged from executives and attorneys to business-unit managers and technical people. One person called from a boat; another called from a six-hour drive back from vacation. The tension was palpable. Executives wanted to know how broad the attack was and its potential damage. The call center needed to know what to do for customers who had fallen for the scam. Some of the people on the line still didn't even know what phishing was.