"Pharming" Guidance on How Financial Institutions Can Protect Against Pharming Attacks
FIL-64-2005 July 18, 2005
The FDIC is issuing the attached guidance to financial institutions describing the practice of "pharming," how it occurs, and potential preventive approaches. Financial institutions offering Internet banking should assess potential threats posed by pharming attacks and protect Internet domain names, which – if compromised – can heighten risks to the institutions.
"Pharming" is the process of redirecting Internet domain name requests to false Web sites to collect personal information. Information collected from these sites may be used to commit fraud and identity theft.
The attached guidance explains how pharming occurs and recommends strategies for protecting financial institution Internet domain names from a successful pharming attack.
The effectiveness of an insured institution's Internet domain name protection program should be addressed in periodic risk assessments and status reports presented to the institution's board of directors.
FDIC-Supervised Banks (Commercial and Savings)
Chief Executive Officer
Chief Information Security Officer
GLBA, Section 501b
FIL-77-2000, Bank Technology Bulletin, November 2000
FIL-27-2004, Guidance on Safeguarding Customers Against E-Mail and Internet Related Fraud, March 2004
FFIEC Information Security Handbook, Issued November 2003
Interagency Informational Brochure on Phishing Scams, Contained in FIL-113-2004, Issued September 13, 2004
Putting an End to Account- Hijacking Identity Theft Study, Issued December 2004