Phishing attacks slam smaller financial institutions

By Shamus McGillicuddy, News Writer 09 Jan 2008 | SearchCIO-Midmarket.com

Technology news and tips for midmarket CIOs Digg This!     StumbleUpon     Del.icio.us

"Certainly the criminals have moved downstream to smaller financial institutions," said Avivah Litan, a vice president and research director at Gartner Inc. in Stamford, Conn. "That's been the trend for well over a year, because the larger banks have employed services to take these phishing command and control services down. So criminals would rather use brands that are not going to go after them. It's easier to attack smaller banks that haven't geared up to protect themselves. They can go undetected. And as soon as they are detected, these smaller banks are caught off guard."

More on security threats Managing online reputation growing problem for businesses Phony government spam targets executives Virtual Vault

Litan said PayPal and larger banks are still the more frequent targets, but smaller financial institutions need to be prepared.

In its quarterly Brandjacking Index, which tracks online brand hijacking, phishing and other criminal attacks, online reputation protector MarkMonitor Inc. reported that 32.6% of all phishing attack detected in the third quarter of 2007 were targeted at credit unions. Such financial institutions are traditionally smaller, with limited resources for dealing with such attacks.

Frederick Felman, chief marketing officer at San Francisco-based MarkMonitor, said medium-sized companies that get phished for the first time can see a profound effect on their businesses. The customer service and public relations efforts required to remediate an attack can be overwhelming, not to mention the sales that can be lost due to the reputation hit.

"Smaller brands are being phished," Felman said. "Over the last two or three years we've seen pockets of attacks on smaller players, attacks on credit unions and small online retailers.

"It's definitely not just a risk for the nation's and the world's largest financial institutions. It's definitely a risk for smaller organizations."

Carolyn James, senior vice president and CIO of USA Federal Credit Union, a 225-person, $700 million credit union based in San Diego that has historically served members of the U.S. armed forces, said her institution has been targeted by phishing attacks twice during the past year or so.

"We've had some phishing attacks that specifically spoofed our website," James said. "It was before we were doing multi-factor authentication. They were taking advantage of that, to get people to put their usernames and passwords into a website. We shut them down."

James said she became aware of the first phishing attack when MarkMonitor warned her company about it. She was not yet a MarkMonitor customer, but the company contacted her to tell her it had detected the attack.

"The first time we were phished we weren't a MarkMonitor client," she said. "We had to do a takedown ourselves. It took a day. The second time, MarkMonitor took down the site within 45 minutes."

James said protecting yourself from phishing attacks is a cultural issue to some extent. When she joined her credit union two and a half years ago, her organization had too many silos separating IT from the business. Many business units had online relationships with partners that IT had no knowledge of.

Through persistence and constant communication, James has gained more control over those relationships, especially those where credit union membership information is exchanged with partners. A breach of such information, such as a list of email addresses, could make customers vulnerable to phishing attacks.

"When you're in the contract review process, information services has to be included in the list of people who review new vendors when we are going to exchange member information," she said. "We need some influence on that."

We've had some phishing attacks that specifically spoofed our Web site. Carolyn James CIO, USA Federal Credit Union

James said that in the online reputation world, she considers the CIO a chief information gatherer.

"I read online journals, attend webinars and conferences and talk to peers to learn about new vulnerabilities," she said. "Along with my team, we identify new solutions. I would not likely be able to afford some of the solutions that Bank of America or Wells Fargo would. But MarkMonitor is unique in that it is priced so that I can do what the big guys do."

Litan said smaller organizations should have a contract with a phishing site takedown service like MarkMonitor. While larger organizations that get targeted by phishing attacks daily will have large contracts for constant protection, smaller organizations can engage with a service provider for a standby service. In a standby mode, the service provider would be positioned to kick into gear quickly when a phishing attack takes place.

"These smaller banks get caught off guard," Litan said. "They have to sign up for a service to take on these phishers. They can't do it quickly. They have to sign a contract. It can take days. But some vendors will do the takedown right away if an agreement in principal is in place."

Litan said phishing attacks are further evolving, moving away from specific brands.

"They're being more generic so there's nobody going after them," she said. "When there's no brand involved, no one is going to spend the money to get rid of the phish. In the greeting card industry, one of the leading greeting card companies took one for the whole industry. So even though the phishers were using nonbrands, one big company thought it was damaging the industry's name. So they spent the money to take down the phishing attacks."

Tags: Information security management for the midmarket,  Data privacy for the midmarket,  Security tools for the midmarket,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information security management for the midmarket Droid does, but will IT support it? Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility Information technology management e-book downloads for midmarket CIOs 10 must-have steps for an effective SMB information security program Your IT security budget: How to get more bang for the buck Using key risk indicators to sell your information security program IT security spending a bright spot in '09, with more growth predicted Data privacy for the midmarket Data storage technology: Know your FAQs and options A guide to managing the risk assessment process Information technology management e-book downloads for midmarket CIOs The price of data center outsourcing: Security, costs and more explored From software prices to EHR security: The latest advice for CIOs Locking down security in the move to electronic medical records Identity and access management planning guide for the midmarket Data protection trumps threat pursuit in SMBs' 2009 security spending Database security: Who should have access? Federal breach notification stuck in Congress Security tools for the midmarket Why CIOs need to get real about identity and access management in 2010 Free risk management tools and resources for the enterprise IT security spending a bright spot in '09, with more growth predicted Security and risk management in the midmarket Identity and access management planning guide for the midmarket A CIO's advice for implementing single sign-on solutions Options for outsourcing security grow, offer IT budget savings Network access control: Pointers for getting the knack of NAC Unified communications: Securing access to OCS Unified communications security: How safe is it?

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary