Phishing scams using FFIEC deadline to dupe financial customers

CSOs and governance officers aren't the only ones studying up on compliance regulations. Phishers are also getting governance-savvy, sending bogus emails that pretend to bring customers in line with new guidelines for financial organizations.

In the emails, phishers urge victims to sign up for a new, two-factor authentication code, according to SecureWorks, which said it has spotted numerous scams using the ploy.

The scammers ask customers to provide account and PIN numbers to register for a dual authentication code. The scam email even tells potential victims that a code is required by the Federal Financial Institutions Examination Council (FFIEC).

Erik Petersen, vice president of professional services for SecureWorks, told SCMagazine.com today that the spoofs are "very well done. They seem to understand the federal agency supervision of banking and financial institutions, and they're using that against the banks and against the customer."

"We would advise a client that (this scam) is likely to have a higher yield rate, meaning it's more likely to get some people to put in their credentials," he said. "All of these schemes are meant to look like something that's authentic."

The FFIEC has urged financial institutions to have improved security hurdles in place by the end of the year.

In August, the FFIEC sent out a seven-page guide to frequently asked questions, addressing security measures that financial institutions should implement to reliably authenticate customers.

The guidelines are not considered regulations in that they allow financial firms to decide how they want to place more levels of authentication on existing systems, but the FFIEC does expect heightened risk assessment and risk mitigation features implemented by the end of the year.

Petersen said financial institutions generally do not use authentications codes, as are asked for in the spoof emails.

"Most are using something like a site key or something that just authenticates the site back to the user, and it's usually done during the enrollment period," he said. "The typical client isn't very aware of that."

Click here to email Frank Washkuch Jr.

Sign up to our newsletters