Pragmatic About Phishing

Register now

Anti-phishing technologies are "just stop gaps" against the rising tide of e-mail identity fraud.

That according to John Best, director of technology for Wescom Credit Union's CUSO, the Wescom Resources Group (WRG) in Pasadena, Calif. Other credit unions echoed Best's sentiments in interviews with The Credit Union Journal.

"All that these technologies do is prevent our credit union from being 'low-hanging fruit,'" Best explained. "Even if we had something that would completely block phishers from our site, phishers could still create duplicates of our website via other means."

Phishing attacks continue to flow downstream from big banks to the CU industry, since March when Michigan State University FCU became the first CU to acknowledge being phished to June when Navy FCU became the largest CU to be phished.

Phishers send fraudulent yet realistic e-mails to members and expect them to respond by entering financial information-from account passwords to social security numbers-on fake websites.

Identity theft has been the most common complaint received by the Federal Trade Commission every year since 2000, according to the 2004 National and State Trends in Fraud and Identity Theft.

Pressed to act against the attacks, credit unions are employing a variety of prevention and response tools, with no sure-fire cure. One of the leading online financial institutions, Stanford FCU in Palo Alto, Calif., has used authentication technology since February to take a stab against phishers with the PassMark Security Two-Factor Two-Way Authentication system. Each member is assured that he or she is on the real Stanford FCU site when the $650-million CU displays the member's unique image and phrase during log-in, according to PassMark.

Los Angeles Firemen's CU, with about 40% of members using homebanking, is also considering the PassMark offering, said George Kings, the $700-million CU's vice president of Information Services.

Other credit unions have developed similar measures in-house. Online members at Wescom create a customized phrase, according to Best at Wescom Resources Group (WRG).

"If members don't see their phrase on the log-in page, they're either on a new computer or it's an indication that they might be on a phish site," Best continued.

WRG also plans to allow members to lock down access to their online accounts by IP address, he added.

Campus Federal CU in Baton Rouge, La. has beefed up online banking authentication by requiring members to enter a random security code that appears as they log in. The random code is designed to be unreadable by automated ID theft programs.

Upon log-in, each member also sees his or her selected security word on every page that is an authentic online banking page.

Beyond authentication, Cyota's FraudAction is attracting the attention of a number of credit unions, including Wescom and Educational Employees CU (EECU) in Fort Worth, Texas.

FraudAction includes alerts, fraudulent site shutdown, reports, counter-measures and forensic work, which help to prevent attacks and to reduce the average lifespan of successful attacks from six days to five hours, according to Cyota.

Two tech-heavy CUs, including the SECUs of North Carolina and Pennsylvania, have signed with Cyota, and Digital Insight last month partnered with Cyota to make FraudAction available to its credit union clients.

In contrast, some credit unions are relying mainly upon member and staff education to fight phishing.

For example, the $31-million Kent County CU in Grand Rapids, Mich., the $675-million EECU, and the $163-million Pinnacle FCU in Edison, N.J., educate members in various ways, such as sending out phishing and pharming information with every newsletter and statement stuffer, sending in-session messages to homebanking users, and posting banner ads on the website.

In addition, about 400 North American credit unions are partnered with Identity Theft 911, which assists in the notification process and provides crisis management, monitoring and resolution services to phishing victims.

Member education isn't foolproof, said Mike Powers, vice president and marketing director at Pinnacle FCU. Despite the CU's efforts, "a lot of people probably aren't as educated on these topics as they should be."

Michigan State University FCU has set a good track record by educating members and then manually responding to phishing attacks, according to April Clobes, assistant vice president of E-Commerce at the CU.

"The better educated members and staff we have, the better we can counteract," Clobes explained. "We rely on our members to inform us of a fraudulent e-mail and then we proceed with the proper steps to respond and shut down the site. Right now we do all of this in-house very effectively."

CUJ Resources

For info on this story:

* Campus FCU at

* Educational Employees CU

* Kent County CU at

* Los Angeles Firemen's CU at

* Michigan State University FCU at

For reprint and licensing requests for this article, click here.