The olive branch after the deluge of news about the JPMorgan data breach that exposed the personally identifiable information of 83 million customers was that no bank account information, or more sensitive personal information like Social Security numbers, had been compromised. What got lost in that torrent of stories was the fact that the information that did get exposed could unleash the mother of all phishing attacks.
All signs point to phishing. The hackers wormed their way into 90 servers. Their presence wasn’t discovered for weeks. Given the length of the infiltration and the fact that not one of the 83 million accounts affected got drained, it seems unlikely that theft of funds was the immediate goal of the breach. Large financial institutions are constantly on the lookout for that kind of frontal attack.
The more likely scenario is that we are watching a multi-layered crime unfold in real time.
Step One Is Over. What’s Step Two?
Much of the media coverage of the breach focused on the kind of information exposed—names, addresses, emails, phone numbers—as if that were good news, but in reality, it’s a disaster waiting to happen.
Increasingly, the most expeditious way to drain money from a bank account is to get permission from the person whose name is on it. An expert forgery of a bank email, text message, website or courtesy phone call to elicit account details can effectively make the victim an unwitting aider and abettor in the theft of his or her own savings or identity. And these phishing attacks are increasingly nuanced, making discernment from legitimate bank correspondence no easy matter. That, my friends, is Step Two.
Testing the Water
In August, JPMorgan reported a spate of phishing emails. What seemed like “just another attack” this summer may or may not have been connected to the JPMorgan breach, which spanned the months of June through August.
Recent news from Florida may be connected, too. AdaptiveMobile reported this week that about 2,000 SMS messages went out in the Palm Beach and Tampa areas. The message: “JPMorgan Chase Bank, N.A. notification: You have a new message regarding your Chase account. Please tap the link bellow to read it: http://tinyurl.com/[REDACTED]”
Cathal McDaid, head of data intelligence and analytics at AdaptiveMobile rightly points out that fraud employs a seemingly innocuous strategy. “If fraudsters have your name and phone number they can use that in a lot of damaging ways,” McDaid says.
Taking a Cue From Direct Marketers
Direct Marketing professionals will typically send out a “dry test” to see if whatever they are selling appeals to their target market. If they get a decent response—anywhere between .1% and 10%—they will either proceed to a “wet test” or go full bore. Fraudsters do the same thing with their target, often testing purloined information to see if it works. It can take the form of small charges on your credit card or debit card, or it can be as simple your unthinking reply to an SMS phisher. This easy-to-miss trial is often the only sign that an attack is imminent.
While it’s impossible to know for sure if the smishing attack in Florida is related to the JPMorgan breach, the best practice here is to hope for the best and assume the worst.
It’s also worth noting that JPMorgan was not the only bank attacked this summer. According to the Washington Post, nine financial institutions were also targeted. Indications thus far suggest those attacks were unsuccessful, but with around 1 billion records exposed since 2005, recent history seems to be trying to teach us not to take anything for granted.
Your Best Defense
As always, the 3 Ms are a good rule of thumb: minimize your exposure, monitor your accounts and manage the damage. Never authenticate yourself to anyone who contacts you by email, phone or in-person. Never click on links that appear to come from institutions or government entities claiming to take you to any site for you to provide personal information. Always call the customer service number on the back of your debit or credit card. Go to websites independently, type in the correct URLs and always ask yourself if the information you’re asked to provide is logical given the nature of the transaction you’re trying to complete.
You should also keep an eagle eye on your credit and finances. That means pulling your credit reports at least once each year at AnnualCreditReport.com, your credit scores frequently at free sites like Credit.com, your bank and credit card accounts daily and sign up for transactional monitoring programs offered by your financial institutions. Make yourself as hard to hit as possible. Change long and strong passwords and user names periodically. Get a program in place that can help you navigate identity theft should the worst-case scenario happen to you.
Like it or not, the sophistication of hackers combined with human error, as well as sloppy data management, has de facto deputized consumers to defend themselves. Never forget that despite all the laws, enforcement actions and best of intentions in the business community, the ultimate guardian of the consumer is the consumer.