Fighting Phishing Expeditions

Register now

No more playing nice.

Phishing fraud has hit credit union land, with Michigan State University FCU among its first victims (see related story, page 13). In fact, phishing has gotten so out of hand that some are suggesting what might be described as desperate measures.

Phishers send e-mail spoofs to consumers, tricking them into visiting fraudulent, but realistic-looking websites that mimic a financial institution and trick the member or customer into divulging financial and personal data. And phishing has even given way to a new form of the fraud-"pharming" (see page 40).

The fear of phishing is rattling the confidence of online customers, say pundits in the financial services industry. More than a quarter of all online consumers have stopped applying for financial products on the web, reported Forrester Research in December. And 14% of online consumers will no longer use online banking and bill payment, said Forrester.

The number of unique incidents is rising 30% per month since July, said a report released in January by the Anti-Phishing Working Group (APWG), an industry association working to eliminate the identity theft and fraud resulting from phishing.

In particular, the October announcement by ChoicePoint that financial profiles of 145,000 consumers had been stolen, albeit not in a phishing scam, has only raised the profile of the problem and is stimulating scads of advice from all sectors of the industry.

Companies should be required to inform customers nationwide of data breaches and allow consumers to control access to credit reports, say some consumer groups.

And financial institutions aren't doing enough by educating their customers, according to CIO.

Take-Down Services Urged

The online journal for IT executives urged FIs last month to contract for take-down services, which automatically call for Internet Service Providers to shut down any fraudulent websites that are discovered.

Take-down is exactly what Pennsylvania State Employees CU (PSECU) plans to do to potential phishing sites, according to Kevin Doyle, Information Security officer at the $2.2-billion PSECU.

The credit union will use Cyota's FraudAction solution to combat phishing. The New-York based Cyota provides anti-fraud products for financial institutions.

"PSECU is concerned with members being educated on the topic and prompt response," Doyle said.

Doyle said that PSECU has not yet been a target of phishing attacks.

If PSECU will do take-downs, chances are good that other CUs will follow suit. In its mission to make secured electronic access a priority, PSECU often leads the way for credit unions online.

The two-location credit union has attracted attention across the banking industry as one of the top 30 North American financial institutions online from Bank Technology News, an affiliate of The Credit Union Journal. And Scottsdale, Ariz.-based Cornerstone Advisors, Inc. singled out PSECU's in-house web development as "pragmatic and creative."

PSECU members seem to agree. More than half of PSECU's 300,000 members have signed up for homebanking, Doyle said. About 10% of all members actively use online bill payment, he said.

And PSECU's online legion is growing, Doyle continued, despite industry reports that consumers are scared about phishing.

"Whereas we perceive phishing and internet fraud as a definite threat, we see continued growth of the number of members both signing up for home banking and using online services," Doyle said.

Online accounts have been growing at an average of 1,500 per month for the past year, said Doyle.

Don't Downplay The Threat

"That said, we don't downplay the threat," he added. "We believe that as phishing continues to grow it has an impact on consumer confidence, and we are exploring ways to mitigate that threat."

Go Beyond Passwords

Typically, phishing scams require a member only to enter a password online. PSECU goes beyond passwords, using two-factor authentication at the homebanking log-in, Doyle said.

PSECU is also considering using on-screen "keyboards" that a member would control with a computer mouse, so that phishers could no longer record keystrokes from a conventional keyboard, he said. Banking giant Citibank announced last month it was auditioning on-screen keyboards in an effort to fight identity theft.

CUJ Resources

For additional information:

* Pennsylvania State Employees CU at

* Anti-Phishing Working Group

* Cyota

For reprint and licensing requests for this article, click here.