In March, an e-mail sent under auspices of the Credit Union National Association (CUNA) began to appear. The e-mail began ‘Dear CUNA Member’ and informed the recipient they were randomly chosen to win $200 in a CUNA-sponsored contest. To claim the prize, they would need to fill in an online questionnaire located at the CUNA Web site. The questionnaire required filling out such information regarding the recipient's ATM/debit card number plus the card's expiration date, CVV security code and personal identification number.
Needless to say, this e-mail announcement caught many people by surprise – particularly the staff at CUNA, which had nothing to do with it. Even more surprising was the Web site that was being presented as CUNA's cyberspace resource – someone had duplicated the trade group's Web site to include this phony survey.
CUNA, in the vernacular of the digital era, was phished.
Phishing involves the use of fraudulent e-mail to acquire sensitive personal information such as credit card data, Social Security numbers and computer passwords. These e-mails are disguised as official communications from well-known companies or organizations, and they are often linked to fraudulent Web sites designed to resemble the alleged source of the message.
It's not a new occurrence – the earliest reference to it dates from 1996 – but the level of activity and the depth of effectiveness has increased awareness of the damage it can create.
Phishing has even spawned new forms of digital attacks. Text messaging-based phishing attacks have already been confirmed – in March, Bank of the Cascades in Bend, Ore., reported its customers were receiving phishing text messages. There's also vishing, which target the phone numbers of people using Voice over Internet Protocol (VoIP) to trick them into disclosing vital information.
Financial institutions, not surprisingly, are among the prime targets of phishing attacks. A study from the Anti-Phishing Working Group, a consortium of technology companies and law enforcement agencies, found the level of financial services-related phishing attacks in the 12 months ending November 2007 exceeded 350,000, a substantial rise from the approximately 100,000 reported attacks over the one-year period that ended in November 2006.
Another report, from Aite Group LLC in Boston, found the payment services and the financial sector attracted 48% of all reported phishing attacks during the fourth quarter of 2007. This report determined that an increasing number of phishing attacks are being targeted at smaller financial service providers.
Sign of the times
Complicating matters is the state of mortgage banking. As issues relating to foreclosures, refinancing and home equity lines of credit agitate many borrowers, the threat of a new phishing wave to take advantage of this crisis might be the next line of attack.
‘The mortgage crisis has created millions of stressed and distressed homeowners whose vulnerabilities could make them potential victims to criminals using phishing and other schemes that pose as lifelines,’ observes Fritz Elmendorf, vice president of communications for the Consumers Bankers Association.
‘Unfortunately, unscrupulous individuals could very well use phishing techniques to prey on those searching for resources to avoid foreclosure,’ says Viveca Y. Ware, director of payments and technology policy for the Independent Community Bankers of America. ‘Consumers should not respond to e-mails or telephone calls offering foreclosure assistance. Instead, they should seek resources from local reputable organizations such as community banks and housing assistance programs.’
Oddly enough, the financial services industry may actually be accommodating the phishers. The Aite Group study found only 20% of banks covered by the Federal Deposit Insurance Corp. are currently using technology that can increase recipients' assurance that e-mail messages are legitimate. In comparison, 51% of the Fortune 500 are doing this, which involves such relatively simple procedures as allowing e-mail recipients to check if their newly received message comes from a trusted Internet Protocol address.
Within the industry itself, it appears the smaller institutions are more vulnerable to phishing attacks.
‘Given that larger banks are savvier and doing a better job of educating end users of the threat, the low-hanging fruit lies in more targeted attacks against smaller banks and credit unions that have yet to have their collective fingers burnt,’ says Nick Holland, senior analyst at the Aite Group and the author of its report.
Fighting back
Is it possible to prevent phishing attacks from plaguing your company? For IT experts, the problem is not a matter of bits and bytes – instead, it is a problem of common sense.
For starters, make sure that your staff keeps its business and personal e-mails separate and apart. ‘One of the main problems that encourages phishing penetration is having your staff sending e-mails using their business accounts to their personal e-mail accounts,’ says Loren Lloyd, CEO of Lloyd Computer Services, Oshawa, Ontario. ‘If any home personal computer or laptop has a virus and an e-mail is sent from it back to the business account, then the virus has then reached the office. From there, it has the potential to do whatever it was designed to do, including information theft that is used in formulating phishing attacks.’
For Robert K. West, founder and CEO of Echelon One LLC in Mason, Ohio, and former chief information security officer for Fifth Third Bank, the human element is of equal importance to the technology security system.
‘Most financial institutions test the security health of their computer 'perimeter' on a weekly or monthly basis,’ he says. ‘The word perimeter is in quotes because, practically speaking, there hasn't been a perimeter in most enterprises for quite some time. As important as the technologies being used are the processes and the knowledge people have. People should understand what they need to do to protect an organization's information and what they need to do varies based on their role in the organization. A member of the executive team needs to know strategic actions to take. Other significant people within an organization include system administrators, application developers, project managers and regular employees.’
A worst-case scenario response plan is also crucial for West. ‘There are processes that need to be in place that allows an organization to respond to unusual events, such as attacks on computer systems, phishing, disasters, system outages, etc.,’ he says. ‘Information is well protected when the right combination of people, process and technology is used.’
James Brooks, president of the Arlington, Va.-based cyber security firm Cyveillance, acknowledges there is no one-size-fits-all solution. ‘The larger Fortune 500 banks have full-time security staff and every type of resource to fight the problem,’ he says. ‘The smaller banks and credit unions don't have the 24/7 security staff and all of the bells and whistles.’
However, Brooks notes that smaller organizations can use the employee base as a more-than-effective tool. ‘Employee education is a must,’ he continues. ‘Whenever a customer calls in, the employees need to listen with a basic level of understanding to addressing the customer's needs regarding this issue.’
Brooks also recommends adding phishing-related contact information on the financial institution's Web site to aid in the reporting of phishing endeavors. ‘That's very easy to implement,’ he says. ‘All you need is to include an e-mail address or add a customer form on your Web site.’
Customers should also be included in the fight against the phishers. Tonya Robichaud, president of ETR Consulting in Woonsocket, R.I., points out that a solution to stopping the proliferation of such messaging is literally a Web browser click away.
‘I would encourage financial institutions to tell their customers to upgrade to the latest versions of Firefox (currently Version 2, with Version 3 imminent) or Internet Explorer (currently Version 7, with Version 8 imminent),’ she says. ‘They have stronger and more sophisticated anti-phishing filters built in. A large percentage of the victims are people who still run older versions of the browsers that don't have as strong security, other patches and updates for known security holes. Upgrading a browser won't end phishing, but it will help cut down on the numbers.’
Beyond the Web browser upgrade, Robichaud also calls for an upgrade in customer education. ‘Financial institutions should use every communications vehicle and opportunity to remind people to stop and think and ask themselves, 'Does this e-mail seem reasonable?'’ she says. ‘A little common sense can go a long way. If it sounds phishy, maybe it is.’
‘Companies should also instruct customers and employees to always retype the site address into the browser and then locate the area of interest,’ advises R.J. Schlecht, director of industry technology security and compliance for the Mortgage Bankers Association. ‘Conversely, companies should never broadcast e-mail with embedded links. Rather, the e-mail should request that the customer go to their site and then provide instructions on how to perform the intended action.’
Whatever impact this will make is hard to predict. However, Echelon One's West sees no signs that the phishing fleets will be sailing off into the proverbial sunset.
‘I see the number of attacks increasing, as well as the sophistication of the attacks,’ he says. ‘The vast majority of attacks are being perpetrated by criminal elements such as the Russian Business Network, criminals, etc. The motive for attacks has changed from someone trying to get headlines for defacing a Web site to pure profit motive. This changes the game and thus the solutions necessary to protect an organization need to be more robust.’
