Phighting The Phishers
Three weeks after falling prey to a phishing attack, Michigan State University FCU (MSUFCU) barely feels a ripple, according to April Clobes, assistant vice president of e-Commerce at the $1.2-billion CU.
The 14 MSUFCU members who said they responded to the fraudulent e-mails sent by phishers on March 3 have experienced no fraudulent activity on their accounts, Clobes said.
In addition, online members are still actively using the CU's services, she said.
But that doesn't mean that MSUFCU-or other credit unions-should rest easy.
"I do think we could be phished again," Clobes said. "If you're a credit union that hasn't been phished, your odds of being phished are becoming greater and greater."
The secret to not being hooked when phishers cast a reel? Educate members before, and respond quickly after, said Clobes. "You need to start educating your members to beware. And every credit union should start thinking about having response policies and procedures in place.
"The speed at which we responded to the attack, at which we shut down the fraudulent website, and at which we were able to block the victim's accounts helped to prevent any real fraud," Clobes explained.
Phishing is today's hot topic in network security (see related story in this issue of The Credit Union Journal). Members may receive and respond to e-mail spoofs that require them to enter financial information on fraudulent websites.
After MSUFCU members called the CU's contact center to report an e-mail spoof on the night of March 3, MSUFCU had the associated fraudulent website shut down the following morning by working with the site's Internet Service Provider and testing the fraudulent domain and IP addresses, Clobes continued.
MSUFCU also immediately sent all members a response e-mail alerting them to the phishing attempts, displayed a banner warning at msufcu.org and reconfigured a website graphic that was used in the e-mails to lure members, she said.
For those members who were duped by the e-mail scam, MSUFCU issued new cards, PINs and passwords and sometimes new accounts, said Clobes.
MSUFCU also notified the FBI, the NCUA, and the CU's third party network security providers, she said.
The "first CU to admit being phished" was well-prepared when phishers struck, Clobes said. MSUFCU had been educating members about phishing in newsletter articles, website examples, and seminars on identity theft, said Clobes.
"Members knew enough to call and inform us quickly when they received the phishing e-mail," Clobes said. "And the entire staff knew that we hadn't sent an e-mail."
Clobes said the CU hasn't yet committed to securing third-party technology vendors that provide automated services to shut down phishing sites.
And the credit union has no plans to incorporate ancillary security technology such as on-screen keyboards or key tokens that may help prevent phishing fraud, she said.
"I would like to think we can respond efficiently in-house," Clobes explained. "Our in-house request to the ISP to shut down the site after the phishing incident was handled quickly and efficiently. But I'm not saying we won't investigate other options now."
MSUFCU was perhaps particularly vulnerable to phishers. The CU's University-based membership's email addresses are openly published on MSU's website, and a large percentage of members use the CU's online services.
More than 50% of MSUFCU's 129,000 members actively use the homebanking product, ComputerLine, and about 10% use electronic bill payment.
For additional information on this story:
* Michigan State University FC at www.msufcu.org.
* Anti-Phishing Working Group at www.antiphishing.org
* DNSstuff (for Domain and IP Address Tests) at www.dnsstuff.com