Incident Response Plans : Why Your Organization Needs One!

Phishing is an effort on the part of criminals to obtain personal information over the Internet through fraudulent means. These scammers are specifically looking for usernames, passwords, and credit card or bank information. They send email messages or instant messages to their victims, trying to direct them to a fake version of a real website. When people are deceived into entering their sensitive information, the scammer takes their information and can steal their money and identity or commit other fraudulent activities.

Why should financial institutions care about phishing attacks aimed at their customers? There are several reasons. First, phishing is a genuine threat, not only to their customers, but to their company as well. Financial institutions are targeted more often than any other business. It is estimated that over 90% of phishing attacks are aimed at customers of banks and credit card companies. The numbers have been rising, too. In 2006, 2.3 million people were victims; the number increased to 3.6 million in 2007. Of these statistics, smaller institutions are phished more often than larger ones, because they are a more lucrative target due to the expense of adequate security measures.

Banks and other financial companies should have a plan to address the case of a scammer phishing for information. No bank would be able to operate without a plan of escape in the case of a fire. Most banks have a button that alerts the police to a robbery. These situations place the bank in a precarious position-they could quickly escalate to a major emergency. Similarly, if banks do not have an incident response plan, a successful phishing attack could quickly lead to a catastrophe.

Phishing attacks are designed to work quickly. After a person enters his or her information into a website, it only takes minutes for the scammers to use it to their own benefit. Often this will happen automatically-the scammer has an automated withdrawal of information or funds, and the phished website will then redirect the victim back to the real website. In a fire, if there is no organized plan of escape, by the time everyone figures out what to do, it may be too late. The same result is true in a case of phishing: if an employee does not already know how to respond, in the amount of time necessary to find the correct phone numbers to call or the proper procedures to follow, the scammer may already have stolen thousands of dollars and disappeared.

It is a fact that people will talk to others about the bad things that happen in their lives. If several friends say that they have been fooled by phishing from a particular financial institution, others may be more likely to do their business elsewhere. Many community banks rely on customer satisfaction and customer referrals to sustain their existence. If they have even two or three major phishing problems, their very survival may be at stake. For the sake of growing their businesses and staying afloat, financial organizations must do everything possible to protect their customers.

Perhaps the most important reason that banks, credit unions, and other financial establishments should have an incident response plan in place is that they are required by Federal Examiners!

Although many smaller financial institutions may think that, in spite of the good that can come from an incident response plan against phishing attacks, the programs to combat phishing are still too expensive for them. Most of the programs, however, are designed for preventative maintenance. An incident response plan simply requires employees of the financial organization to be educated to recognize warning signs of a phishing attack. If they cannot close the phishing site personally, they need a list of companies and professionals and contact information to enable them to call someone who can shut down the site. Because the effort is so minimal, every financial institution, no matter how big or small, should have an incident response plan.