East Carolina University
 
Computing@ECU
Security Alerts


purpleabout uspoliciessitemaphelp request
ITCS Title
IT Security



Online Banking Security Measures

ECU ITCS Security Alert: Online Banking Phishing Scheme
Date: Tuesday, January 12, 2010

WARNING! The FBI issued an alert warning against an online banking phishing email scam which targets both business and personal bank accounts. The user receives an email which either contains an infected attachment or directs the user to an infected website. Once the user opens the attachment or visits the website, malware is installed on the computer. The malware contains a key logger which will harvest each user's business or personal bank account login information. Shortly thereafter, the perpetrator either creates another user account with the stolen login information or directly initiates fund transfers by masquerading as the legitimate user. These transfers have occurred as both traditional wire transfers and as automatic clearing house (ACH) transfers.  

A public school district in Pennsylvania lost $700,000 in a two-day attack. A county government in Kentucky lost $415,000. A New York school district, $3 million of which $500,000 remained unrecovered as of January 6, 2010.

This phishing scam is extremely difficult to detect, because the user is not asked to provide any personal or financial information. The damage is done when the user opens the infected attachment or visit the infected website. Therefore, it is critically important to avoid opening unsolicited attachments and clicking on web links from unverified sources. 

NEVER provide personal or sensitive information in response to any unsolicited e-mail. Don't open unsolicited e-mail attachments. No matter how realistic or enticing the e-mail message, you must remain vigilant in not responding to an e-mail hoax or scam. Just delete it!  

Departments who conduct online banking should institute additional security measures:

  1. Make certain that systems used in performing financial transactions are protected by strict technical controls and receive periodic validation.
      
  2. Implement process that require all online banking operations be conducted on special-use computers that are used SOLELY for banking transactions. No other use of the machine should be permitted – no e-mail, no web browsing, no general-purpose business use – nothing but institutional online banking transactions. Contact the IT Help Desk at 328-9866 for additional information on this option.
      
  3. Make certain that personnel involved in performing online financial transactions have the necessary security awareness and training. Those persons should receive targeted training on phishing and this threat. Contact the IT Help Desk at 328-9866 to request training.
      
  4. Have written policies defining the controlled environment in which online banking transactions can be conducted, e.g. what systems can be used, how they must be maintained, required personnel training, etc.  

Additional External Resources (You are leaving IT Security and accessing an external website when you click the links below):

[1] Additional information Concerning this Warning
http://www.ren-isac.net/alerts/banking-attacks_20100111.html

[2] The Growing Threat to Business Banking Online http://voices.washingtonpost.com/securityfix/2009/07/the_pitfalls_of_business_banki.html

[3] FBI investigating online New York school district theft http://www.computerworld.com/s/article/9143144/FBI_investigating_online_New_York_school_district_theft

Return to the main ECU IT Security page.