Verizon employs multiple lines of defense against phishing attacks.
Verizon, the largest wireless company in the U.S., faced the challenge of phishing attacks that harmed their brand. This case study details how they successfully integrated OpSec solutions with other internal security measures as part of a concerted effort to educate and protect customers and prevent Verizon fraud losses.
Verizon, the largest wireless company in the U.S. with more than 110 million customers across the country, is committed to providing excellent customer service and exceptional communications and entertainment experiences. However, this commitment is challenged by the prevalence of phishing attacks that harm the famous Verizon brand. Specifically, fraudsters attempt to steal customer information, including account usernames and passwords and generate bogus charges that are for everything from popular smartphones and tablet computers purchases to long-distance calls billed to customers’ accounts.
To reduce the incidence and cost of phishing attacks, Verizon successfully integrated OpSec solutions with other internal security measures as part of a larger concerted effort to educate and protect customers and prevent Verizon fraud losses. The result has been a reduction in phishing incidents and fraud losses, as well as significant cost savings.
Fraudsters are becoming increasingly adept at crafting convincing messages and websites that claim to be from reputable companies. In late 2013, Verizon began to see a rise in phishing attacks on customers in the form of automated phone calls (i.e., “vishing” or “robocalls”), emails, and text messages (i.e., “smishing,” a scam that uses Short Message Service – SMS – systems to send fraudulent text messages). These attacks aim to dupe unsuspecting customers into divulging sensitive information such as user names, passwords and other account and personal data.
Due to the phishing attacks, Verizon call centers were reporting large volumes of customers calling to question unusual text messages and voicemails purportedly from Verizon. Customers also were calling to dispute fraudulent charges on their bills. As a result, Verizon was experiencing higher call center costs and paying to reimburse customers for fraudulent device purchases and unauthorized international calls.
Some of the phishing phone calls and texts advised customers that their accounts were locked and directed them to log in to a fraudulent website to provide verification to unlock their accounts. Other phishing attacks notified customers of false prizes, promotions and rewards, and directed customers to fake websites to submit personal information and claim their winnings.
The phishing websites were made to look like Verizon-owned websites with the VERIZON trademark, and encouraged customers to “Access your Account” or “Sign in to My Verizon” or “My Verizon Mobile.” In many cases, the fake sites even included links to legitimate Verizon sites, making it more difficult for consumers to notice the difference. Furthermore, sophisticated fraudsters are careful to keep their sites up to date. When Verizon rebranded its corporate logo and website in 2015, fraudsters immediately started mimicking the new brand and overall site design.
In one example, targeted Verizon customers received unsolicited calls to their mobile devices from a number identified as Verizon technical support. They were then urged to log on to a dedicated website to receive a special reward of $54, available at a domain name, including “verizon54.com” or “54verizon.com.” Once login information is provided on a fraudulent site, hackers can access a customer’s account details, potentially leaving personal data vulnerable. The fraudster’s goal is typically to obtain enough information to pose as the customer when contacting Verizon or to gain access to a customer’s online account for purposes of fraud.
Following a successful pilot study in late 2013, Verizon decided to launch a long-term antifraud watch and takedown partnership with OpSec. When OpSec identifies a phishing attack for Verizon, OpSec analysts are able to tap relationships with ISPs, domain registrars and hosting providers to quickly shut down phishing sites no matter what time of the day or night they are launched.
In addition to working with OpSec, Verizon’s security organization instituted a number of other customer protections that are regularly updated, including:
- Customer education, including contact information to report phishing attacks by using email, firstname.lastname@example.org or email@example.com, texting by forwarding suspicious text messages to short code 7726 (or SPAM), or calling Verizon Wireless’ customer support at (800) 922-0204 or *611
- Instructional videos about the importance of using unique logins and passwords for accounts
- Extra security measures such as displaying a SiteKey image on a legitimate login screen
- Authorization checks for account feature changes and device orders
- Automatic communications to confirm changes to a customer’s account
The OpSec AntiFraud solution and Verizon’s ongoing security measures significantly reduced the number of phishing incidents and quickly achieved a good return on investment. It has reduced Verizon’s expenses and cut fraud losses.
The OpSec AntiFraud solution deploys proprietary, preventive tools to reduce phishing incidents by addressing the phishing problem upstream, before attacks are launched. For Verizon, OpSec analyzed the fraudsters’ infrastructure, including phish kits used by fraudsters to launch phishing attacks and execute their campaigns. Using data from the phish kits, OpSec AntiFraud was able to shut down 24 collection points associated with Verizon over eight months, including email accounts and stolen credentials, and take down both phish and phish redirector sites.
By hardening Verizon as a target for phishers, OpSec is a key partner in helping the company protect its brand, uphold customer trust and significantly diminish the overall impact to the company’s top and bottom lines.
Verizon is unable to detect fraudulent activity when legitimate (stolen) logins are used. They encourage all customers to use best practices to defend against fraud in all sensitive accounts.
- Looking for the use of SSL for sites requesting any confidential information
- Using the latest anti virus software and install patches
- Using different passwords across different sites