The Treasury Department’s Office of the Comptroller of the Currency issued a bulletin in July that outlines the steps banks should take to mitigate the risks of phishing. Among other things, national banks were told they must file suspicious activity reports, or SARs, if they are the target of a spoofing incident.
Last December, the Federal Deposit Insurance Corp. issued guidelines for how financial institutions can mitigate phishing risks. The document warns that “the financial service industry’s current reliance on passwords for remote access to banking applications offers an insufficient level of security” and describes better options, such as two-factor authentication.
Phishing as a operational risk to an institution requires effective deterence as well as detection. These comments from a recent article at CSO Online paint the picture about why a takedown is a necessary response to a phishing incident.
The window of opportunity for a phisher is the time between when a phishing e-mail goes out and when the fraudulent website collecting information is taken down. Left unchecked, a phishing site may stay up for days or even weeks, as information trickles in from dawdling customers who've fallen for the scam. A good takedown process can slam that window shut within hours.
Nowadays, the attempt to do a takedown is standard fare—so standard, in fact, that the Treasury Department's Office of the Comptroller of the Currency has issued guidelines about the steps banks should take to disable spoofed websites. (Takedown, which essentially just relocates the problem, may be the only defense that the targeted company has. Prosecutions of phishers have been next to nonexistent, due to the difficulty of tracing how personal information has been captured, sold and exploited.)
As this article mentions, their are several very reputable firms who can assist you with the takedown. It may be even more important to have a 24 X 7 detection service monitoring the Internet for new web sites popping up and to get you ready for the barrage of spam e-mail onto the net to spoof your unsuspecting consumers. For more information on this, see Cyveillance.
Another important note is the PR and communications crisis management that is necessary to keep customers informed, the public aware of your Anti-Phishing strategy and more. You see, at the end of the day 99% of online banking customers won't leave you because you had an incident. They will leave you if you don't handle the response correctly.