ALEXANDRIA, Va. - NCUA has been advising credit unions to be wary of phishing attacks, however it may be the one that needs the most help. According to a number of credit unions, they are hearing from members who have come across a phishing attack involving NCUA. Last Tuesday NCUA put out a risk alert acknowledging these attacks. "..over the last several weeks, so-called phishing perpetrators have expanded their schemes to mimic NCUA's web site, and target consumers by asking them to provide confidential information to purportedly verify account registration information or to maintain insurability of accounts," stated NCUA in the alert. The alert led off by commending CUs for doing a good job on educating their members about phishing. NCUA had been advising CUs of phishing attacks on CUs, but now the attacks have the regulator playing its own phishing defense. NCUA said it is working with the FBI to investigate the attacks and bring those responsible to prosecution. That can be easier said than done, according to one of the leading security firms that helps organizations deal with phishing, pharming and other online attacks. Amir Orad, EVP with Cyota, said one of the most efficient remedies is to work with the ISPs, who can take down a site immediately. "You don't have any worldwide jurisdiction, we work with the ISPs," said Orad. He said it's critical that you are able to speak the ISP's language (Cyota has employees that speak 15 languages and resources to other languages) and make the ISP understand that the phishing attack may have included a copyright violation. He said ISPs are faster to act if a copyright violation has occurred. He recalled an attack on State Employees CU of N.C. that had SECU working for five days on taking down the site - Cyota helped shut it down in less than an hour through an ISP contact. "It helps to know people at the ISPs. In some cases it requires evidence showing it's a real attack," said Orad. He said Cyota also goes the legal route in which electronic forensics is very important, but the ISPs can provide faster relief. In addition to taking down a site they host, ISPs can also put blocks on spoofed sites for their customers. So AOL for example can block all of its users from getting access to a spoofed site. Cyota has relationships with two of the largest ISPs, AOL and Earthlink. In its risk alert, NCUA reminded CUs of the availability of a phishing brochure available for download at NCUA's site (www.ncua.gov) that informs members about the dangers of phishing. NCUA said CUs can use the brochure in mailings to members. Orad believes the attacks against CUs will continue. "It's getting more widespread. There's been a migration from attacks on the large commercial banks to regional banks and credit unions," said Orad. (See chart for increase in attacks.) So what should CUs be doing? Orad said protecting against phishing runs contrary to the philosophy many credit union IT security professionals have been using to protect their systems. Orad said it's no longer good enough to tighten up the CU's internal systems, CUs must look outside their systems. Cyota scans the net all day, scanning billions of e-mails from its ISP partners, looking for suspicious e-mails specific to financial institutions and phishing. Once it identifies a credible attack, it works to shut it down no matter what time zone or what time of day it is. "For each attack we do forensic work to try and uncover some of the stolen data, as evidence that we can use in court. The reason that is so important is sometimes to get law enforcement to engage you need to show them it is a severe attack," said Orad. Cyota has helped shut down sites in 65 countries. Orad said one of the best defenses CUs can implement is something Cyota calls risk-based authentication. In other words, change the level of authentication for a member based on the risk of the transaction. "If we see a transaction coming from Italy and you've never been to Italy, we'll want to call the consumer in real time to confirm they are trying to do a transaction online," said Orad. Other techniques include having a question pop up that asks the member the model of the first car, for example. However, Orad said there is a very fine line credit unions have to walk with phishing. If they are constantly telling members to be wary of phishing, especially when using the CU's systems, it could turn off some members from using online services altogether. That same philosophy goes for the risk-based authentication. "One option would be to call everyone, but if you make it too secure, members might not think it's worth it," said Orad. Orad said based on Cyota's experience, about every six months the bad guys come up with new techniques for phishing and online fraud. He said phishing is a volume game because about 2 to 3% of people that get phished fall victim to it. Cyota, based in New York, has 120 employees and serves large banks such as Bank of America, Chase and others. It also has a growing list of large CU clients, many of which the company can not yet announce. It does serve the tech-savvy Pennsylvania State Employees CU with anti-phishing services. At press time, NCUA said it has yet to contract with a third party to help fight phishing. [email protected]