Switch And Bait: Scams Target The Smaller Fry

Perpetrators of phishing scams are moving from deep-sea expeditions to more-shallow waters. New research shows a rise in the number of phishing E-mails that attempt to hook customers of small and midsize banks and regional credit unions. Having seen the havoc these scams wreak on the clients of larger competitors, some smaller financial institutions are reacting quickly.

That includes Kevin Doyle, information security manager at Pennsylvania State Employees Credit Union, a regional credit union with $2.3 billion in assets. "Phishing was like a big tidal wave coming," says Doyle, "and we needed to get ahead of it." The company earlier this year subscribed to online security vendor Cyota Inc.'s Response service, which overwhelms phishing sites with hits so they become useless. The credit union has the option of a real-time upgrade to Cyota's FraudAction Service, which includes real-time detection of phishing and pharming attacks, blocking access to phishing sites, and shutting down fraudulent sites.

The security industry is calling the trend puddle phishing or boutique phishing. In May, there were 44 successful phishing attacks targeting clients of smaller and regional banks and credit unions, up from just seven in January, Cyota's Anti-Fraud Command Center reported last week. Security vendor Websense Inc. last week said it has seen more than 30 scams involving small credit unions since January, including one aiming at the membership of a credit union that serves White House staff. Fraudsters are using the same techniques to phish for smaller organizations' customers as they have in the past, including planting spyware that watches as customers log on to real Web-site accounts. "As the monetary gains increase, the sophistication will increase," predicts Dan Hubbard, senior director of security and research at Websense Security Labs.

The attacks on smaller institutions seem the natural outgrowth of the fact that clients of larger financial institutions, the traditional targets, have gotten wise to the practice, says Sam Tuohey, VP of technologies and E-commerce at Stanford Federal Credit Union, a not-for-profit with more than 40,000 members of the Stanford, Calif., community, including Stanford University, Stanford Hospital, Lucile Packard Children's Hospital, and the Stanford Linear Accelerator Center. To see if a scammer could zero in on his customers, Tuohey recently purchased a mailing list of 1.7 million college student and faculty E-mail addresses to see how many of the credit union's members might be found on it. About 5,000, or 0.2% of the list, were credit-union members.

Since then, the credit union has deployed a multilevel authentication scheme using software from security vendor PassMark Security Inc. that ensures E-mails sent to users include a question they pick and to which only they have the answer, a particular graphic image, and more. Customers know that E-mails that arrive purporting to be from the bank without those features should be trashed. "I don't think we've been the target of a boutique attack," a satisfied Tuohey says.

Internet service providers are tracking around 200 phishing attacks per day each, says Avivah Litan, a Gartner analyst. "Too many people think phishing was a fad that petered out by the end of last year," she says. The impact of the onslaught is going to be severe. Says Litan, "Customers are losing trust in online communications."