Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:05 PM
BS&T Staff
BS&T Staff
Connect Directly

OCC Issues Guidance On Web Spoofing

When a bank gets "phished" or "pharmed," what's the next step?

When a bank gets "phished" or "pharmed," what's next?

The Office of the Comptroller of the Currency (OCC) has issued guidance on how banks should mitigate risks to themselves and to customers from "Web-site spoofing," and how to help law enforcement authorities with their investigations.

Following are some of the takeaways from the OCC guidance.

First, the procedures that a bank should establish in advance of a spoofing incident:

  • Assign certain bank employees responsibility for responding to an incident.
  • Determine incident response protocol with outsourcing vendors, and integrate their procedures with internal procedures.
  • Establish contacts with FBI and local law enforcement authorities in advance of any spoofing incident.
  • Use customer education programs, such as statement stuffers and Web-site alerts, to explain Internet-related scams and safe computing practices.

Best practices in incident detection and information gathering:

  • Monitor returned e-mail, Web-server logs, and call center traffic for indicators of spoofing attacks.
  • Search the Internet for unauthorized identifiers associated with the bank.
  • Provide telephone contact numbers for customers to report phishing incidents.
  • Collect information about spoofing incidents, including how it was discovered, copies of the e-mail received, IP address for the spoofed sites, the Web-site address and registration information, and the geographic locations of the IP address.

Finally, the key steps to take in response to an incident:

  • Communicate promptly with the ISP hosting the fraudulent Web site.
  • Contact the domain name registrars.
  • Obtain a subpoena to identify the owners of the domain from the ISP.
  • Work with law enforcement and other anti-phishing channels.

Read the full OCC bulletin.

Register for Bank Systems & Technology Newsletters
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.