CUs, smaller institutions targeted as puddle phish

MADISON, Wis. (6/16/06)--Criminals using the phishing method of fraud are starting to phish in smaller "puddles," targeting credit unions and smaller and mid-sized banks, according to several sources.

Since January, a 633% increase in phishing attacks targeting credit unions, regional banks and small and mid-sized banks has been documented by the Anti-Fraud Command Center at Cyota Inc., an anti-fraud, anti-phishing software and services provider (Business Wire June 13). Cyota detected 22 fake e-mail messages claiming to be from credit unions and smaller banks in the 30 days preceding June 9, compared with a few during the months of January and February (American Banker June 15).

Websense Inc., an employee internet management solution provider based in San Diego, Calif., also notes that credit unions are among those being targeted more recently in what it calls "puddle phishing" (PR Newswire June 13). Websense Security Labs says it's seen more than 30 small credit unions attacked since January, including a credit union serving employees and staff at the White House.

"In the past, phishers focused on mainstream consumer websites with millions of users, but now the targets are becoming much smaller and more localized," said Dan Hubbard, senior director of security and technology research at Websense Inc. The number of prey is reduced to a few thousand people, but the increase in phish attacks on smaller targets indicates they are "a highly profitable scam."

Gartner research group also has clocked an increase to about 200 phish scams a day on telecom and Internet service providers (CMP TechWeb June 13). According to Gartner analyst Avivah Litan, many people thought phishing was passé, but it never stopped "because it's so easy to do and make money from."

"Now that some of the larger banks have implemented stronger security measures, phishing is definitely moving downstream," said Amir Orad, Cyota executive vice president, "and for the first time we've begun to see small to mid-sized banks getting attacked more frequently than larger banks."

The $2.264 billion asset Pennsylvania State Employees CU, located in Harrisburg, is implementing Cyota's FraudAction service to battle phishing and pharming. The service detects the attacks, helps identify the phishers, shuts down fraudulent web sites and can flood a fake website with false data to dilute the value of stolen personal information (Business Wire June 13).

"PSECU has a very large online community--more than half of our members have signed up for online account access, and about 12% of all members use online bill payment, so we are committed to maintaining, growing and protecting our online users," said Kevin Doyle, PSECU information security officer.

Data from the Anti-Phishing Working Group for April indicated that 845 of the brands phished were from the financial services sector (CMP TechWeb June 13).

Among recent phish attempts against credit unions were e-mails claiming to be from Kern Schools FCU, Bakersfield, Calif. (The Bakersfield Californian June 10); and The Credit Union at the University of Chicago (U-Wire June 9).

Credit unions received a wake up call about phishing when criminals impersonated the websites of the Credit Union National Association (CUNA) and the National Credit Union Administration.

According to Dorothy Steffens, CUNA vice president of web services, the CUNA site has been impersonated by at least three e-mails since February.

Educating members is still a key way for credit unions to fight phish and pharm attacks, according to TowerGroup Inc. and Celent Communications. Credit unions have advised members in newsletters and on their websites that they will never send an e-mail that solicits personal financial and account information.

print this story email this story
Resource Links
CUNA ID Theft Resources
Anti-Phishing Working Group
Resources to fight phishing fraud


More CU/System

Copyright © 2012 Credit Union National Association