Financial institutions have long been a favorite target for phishing attacks, but attackers are broadening their focus. Security experts say smaller financial institutions, such as credit unions, are now being victimized as well.
Marc Gaffan, director of product marketing, identity and access assurance group at RSA Security, a division of EMC Corp., said phishers have always been a favorite of financial services firms because they are among the most lucrative targets.
But with larger financial institutions taking action to thwart phishing, Gaffan said attackers are shifting their focus to target smaller, regional institutions, including credit unions, because these firms have fewer resources to fight the problem.
The RSA Monthly Online Fraud Report for December (pdf) showed that attacks on nationwide banks made up 26% of U.S. financial institutions targeted by phishers, down from 44% in November. Conversely, credit unions made up 45% of the institutions attacked in December, up from 33% the previous month. Regional banks represented 29% of those attacked, up from 7%.
In targeting local institutions, attackers sometimes send customers customized emails, which can be convincing, Gaffan said. "As a consumer, you might think, 'What are the chances someone would go after my small credit union?'."
According to MarkMonitor Inc., a San Francisco-based brand-protection firm, nearly a third of all phishing attacks in the third quarter of 2007 targeted credit unions.
Between January and November of last year, a majority of the top 10 brands targeted by phishers were financial services firms, said Laura Mather, senior scientist at MarkMonitor. She said attackers launch phishing attacks against financial institutions not only to steal money from bank accounts, but also to use accounts for laundering money.
"Phishers are equal opportunity fraudsters," Mather said, "and are happy to find the financial institution that has the least amount of protection."
Financial institutions are taking several steps to protect themselves. Mather said they're forming groups to track and shut down phishing sites, or they tap companies like MarkMonitor, RSA and others that offer antiphishing services. They also are using email authentication technologies such as DomainKeys Identified Mail, and educating their customers.
"In the last couple of years, the banks have really started to work on this [problem]," Mather said. "It hits their bottom line, so they feel they need to, but we're also seeing some banks being proactive," taking steps to mitigate attacks even though they haven't yet been victimized by phishing.
Attack from all sides
For its part, San Diego-based USA Federal Credit Union is taking a multi-pronged approach to dealing with phishing. The credit union, which has 61,000 members, uses a combination of antiphishing services from MarkMonitor, education for customers and employees, and a detailed response plan.
Carolyn James, senior vice president and CIO at USA Federal, said the credit union has been hit by mass phishing attacks that target multiple credit unions by spoofing a co-op network or regulators, but hasn't seen much in the way of attacks targeting its members.
USA Federal uses two MarkMonitor services: one a take-down service that James describes as highly efficient, the other an early warning system, which alerts the credit union of domain registrations using variations of its name or acronym. Some domain names are registered repeatedly and dropped if they don't get any hits, James said. In some instances, the credit union goes on the offense and registers the domains.
"We have maybe a dozen we've registered so far," she said. "It's cheap and it just gets them out of the wild."
The credit union has multiple tools to educate members, including a safety page on its Web site with instructions on how to report suspicious emails and how to identify phishing attacks.
"No matter what systems we subscribe to, our members are the ones who can really help prevent this from occurring if they're educated," James said.
Employees also are educated on phishing and other online threats via annual training programs, monthly security awareness posters displayed in key locations at every branch, and Internet safety tips on USA Federal's intranet.
Meanwhile, the credit union developed an incident response plan that includes steps it will follow in the event of a phishing attack, which will make the situation less prone to error, James said. "You can pick up the manual and start executing."