Reader Question #1

Register now

What do you think of so-called 'spear-phishing?' A third-party has offered to phish all of our members for whom we have e-mails. Those who respond will be sent e-mails explaining what happened and warning members not to respond to such requests for information.

Jim Berthelsen, SVP/General Manager, Harland Financial Solutions

We would not recommend sending 'phishing' e-mails to members and educating them about the consequences after they have responded to the e-mail. Instead, we would recommend an informational/educational campaign warning members against such practices and the potential consequences of responding to such an e-mail. The campaign can be in the form of e-mail, monthly statement inserts, letters, flyers, etc. or some combination.

Example of educational communications:

"Criminals are creating e-mails that look almost exactly like something you may receive from a financial institution. Corporate logos, e-mail formatting, etc. They often request that you verify some personal piece of information, such as your social security number, account number, password or PIN number either by return e-mail or by a URL taking you to their website. DO NOT respond to these e-mail requests. Legitimate companies will never ask for this type of information in an e-mail. You can rest assured it is probably someone trying to steal your identity. Identity Theft is one of the fastest growing crimes worldwide and Phishing is one of the criminal's most effective tools. Forward spam that is Phishing for information to spam uce.gov and to the company, financial institution, or organization impersonated in the Phishing e-mail. Most organizations have information on their websites about where to report problems. The Federal Trade Commission also has information at: http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm."

Gary Daniel, SVP & General Manager

Credit Union Group, Open Solutions

Glastonbury, Conn.

Unfortunately, "spear-phishing" is on the rise and is yet another security risk that all credit unions should be aware of and prepared to act upon. Just when the credit union industry is beginning to understand and educate their members on the "phishing" phenomenon along comes "spear-phishing." Put simply, "spear-phishing" is the attempt by online criminals trying to pry passwords and other sensitive information out of individuals or in the case of credit unions members by using phony e-mails from a high ranking executive of the targeted organization or in this case the credit union. Rather then simply posing as a financial institution, "spear-phishers" pose as an executive or person of authority within the organization in order to trick employees or members into giving out passwords and confidential data. This is a very targeted attack, yields exceptional results and is very hard to trace.

Theresa Benavidez, CTO, USERS, Inc., Valley Forge, Penn.

I personally don't like the idea of using spear-phishing to demonstrate the dangers of responding to phishing e-mails. While this mock attempt may be well-intentioned, it's also a bit misguided. Some members could view it as an insult to their intelligence.

Being duped by their own credit union could also shake members' trust by calling your integrity into question. I would rather see credit unions focus on education as their best defense against phishing. Some studies have shown education to be very effective in reducing consumer susceptibility to attacks. In one study reported on in Computer World, a New York agency sent a phishing e-mail to employees and found that 75% opened it. After extensive education, they did the test again and only 8% opened the e-mail.

Website postings and pamphlets at the teller line, providing details on how the attacks work and illustrating what a phishing e-mail might look like. In any communication on this subject, emphasize that you will never ask members for account numbers or passwords, and that they shouldn't reveal those details to anyone. Remind them that e-mail is not a secure form of communication, so they shouldn't include confidential data in e-mails to the credit union. Longer term, we're hopeful that technologies will emerge to stop non-legitimate e-mails at the firewall.

Rick Fleming, Digital Defense, San Antonio

"Spear-phishing" done in the right context and done under the right circumstances may be a good idea. If used as a part of an overall member education training program, that includes online member training and printed materials included with statements, it may have value in that it tests the members on how well they understand the risks of replying to these scams.

On the other hand, it may very well anger many members who feel that the credit union is going back on its word and sending out an e-mail that solicits this information (something most credit unions have said they would never do) or that the credit union is somehow tricking its own members with this test. Social engineering examinations of any form tend to make the person or persons who fall for the scenario to feel embarrassed and to be upset with the person performing the test. Extreme care should be exercised with this type of testing.

Another concern, do you as a CU want a third part to have access to the sensitive personal information that will no doubt be gathered as part of this testing process? Make sure if you hire your security firm to do this testing that not only are the contracts in place to protect all parties involved, including the members, but that you as a credit union are aware that an external third party will have access to potentially sensitive information.

John San Filippo, VP-Marketing

Bluepoint Solutions, San Diego

As my dear mother-in-law Dottie used to say-God rest her soul-this seems like a long go for short dough.

First of all, the credit union has no way of knowing why the members who didn't respond to this phishing expedition didn't respond. In other words, were they smart enough not to respond, or was there some other reason, e.g., they just didn't get around to it. At-risk members could be left behind inadvertently.

Along these same lines, it seems that the credit union could become inundated with "alerts" from those members who are smart enough to see through the ruse. And what of members who join after the phishing expedition has been completed?

Finally, as a credit union member, I'm not sure how I'd feel if my credit union contacted me and said, "Hey, we tricked you into exposing yourself to identity theft, dummy, but it was for your own good. Be a little smarter next time."

A credit union-wide, ongoing member education program seems like it would be more cost-effective, touch each member equally, and would avoid offending anyone.

Stephen Gilmour, Manager of Research and Development, Symitar, San Diego

This is an area that should be explored with caution. Members gave your credit union the authority to use their email address for specific purposes such as e-statements, newsletters and relevant promotions. Not all members will appreciate it being used to trick them. In addition, the government recommends that members that suspect they are being phished to report it to the Federal Trade Commission at spam uce.gov. I don't think we want to muddy up their investigation efforts by adding "legitimate" phish to their case load.

Other defenses available:

* Brand Protection Services that search domain registrations for "look alike" domains, scan e-mails, look for hostile servers, key logging, trojans, worms, viruses, man- in-the-middle attacks, web impersonations and other types of cyber attacks as they become known.

* Dual Authentication that uses selected pictures, varying questions, one-time use passwords, biometrics and other means.

* Web Log Analysis that detects unusual member behavior at the transaction level.

If the phishing problem at your CU is such that you feel it is necessary to use spear phishing, you should use it as part of an extensive education campaign. Educate the member about the threat, what they should do and even alert them as to what you are going to do.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER