An Ounce of Fraud Prevention is Worth Millions in Cures

http://www.creditunionmagazine.com/story.php?doc_id=764

By Kevin Joy
As online banking activities grow, phishing attacks have become a prime source of identity theft. Credit unions are now finding themselves battling an escalating number of these attacks that are specifically designed to acquire confidential personal data, including passwords and credit card numbers, from unsuspecting members.

Both Javelin Strategy & Research, Pleasanton, Calif., and the Federal Trade Commission (FTC) estimate that identity theft has become a $45 billion-a-year problem in the U.S. alone. In addition, Stamford, Conn.-based Gartner predicts that by the end of 2010, criminals routinely will use the Internet to extort funds from organizations.

In simple terms, phishing is the process of luring unsuspecting consumers to a fake Web site by using authentic looking e-mails for fraudulent purposes. According to the Anti-Phishing Working Group, 91.7% of phishing attacks during December 2007 were targeted at the financial services sector.

There's nothing simple about how a phishing attack is perpetrated—or resolved.

Early phishing attempts were mainly single sites that were focused on acquiring credit card information, and were relatively simple to deal with. Today's attackers, however, have evolved well beyond single "one off" attempts to setting up multiple pages to avoid detection.

They simply use one site to capture as much information as possible in a short period of time and then quickly move on to another. This can extend an attack for weeks, making fraud prevention and protection more challenging than ever.

An additional consideration for today's credit union managers are the new regulatory requirements under the Federal Trade Commission and federal banking agencies rules on "Identity Theft Red Flags." These mandate that all financial institutions develop and implement an identity theft prevention program for combating these threats— including reasonable policies and procedures for detecting, preventing, and mitigating identity theft—by Nov. 1.

While phishing attacks represent a significant portion of online identity theft activities for credit unions, they can, in fact, be demobilized in less than 24 hours through the application of advanced monitoring tools and services.

When a suspected site is detected, the first step is to determine the properties of the site to identify the Internet service provider, domain name owner, and any other relevant contacts. Monitoring of the site for any changes to Internet protocol address, content, or other properties should also be implemented, and a forensic copy of the site should be obtained. Relevant parties are then contacted so work can immediately begin on disabling the sites.

At the same time, credit unions must also implement a communications program to inform members of any incidents and advise them on appropriate actions to take. Even when the activity is demobilized, monitoring should continue for another 100 days.

For many credit unions, this type of end-to-end approach can be handled by an online threat protection specialist that can address all aspects of fraud protection and risk mitigation, from link checking and threat identification to response and remediation services.

Fighting phishing attacks and identity threat is an ongoing battle for credit unions—but it doesn't have to be a losing one. With the right processes and tools in place, credit unions can be extremely effective in protecting their assets, reputation, and members.