ALEXANDRIA, Va. - NCUA has been advising credit unions to bewary of phishing attacks, however it may be the one that needs themost help. According to a number of credit unions, they are hearingfrom members who have come across a phishing attack involving NCUA.Last Tuesday NCUA put out a risk alert acknowledging these attacks."..over the last several weeks, so-called phishing perpetratorshave expanded their schemes to mimic NCUA's web site, and targetconsumers by asking them to provide confidential information topurportedly verify account registration information or to maintaininsurability of accounts," stated NCUA in the alert. The alert ledoff by commending CUs for doing a good job on educating theirmembers about phishing. NCUA had been advising CUs of phishingattacks on CUs, but now the attacks have the regulator playing itsown phishing defense. NCUA said it is working with the FBI toinvestigate the attacks and bring those responsible to prosecution.That can be easier said than done, according to one of the leadingsecurity firms that helps organizations deal with phishing,pharming and other online attacks. Amir Orad, EVP with Cyota, saidone of the most efficient remedies is to work with the ISPs, whocan take down a site immediately. "You don't have any worldwidejurisdiction, we work with the ISPs," said Orad. He said it'scritical that you are able to speak the ISP's language (Cyota hasemployees that speak 15 languages and resources to other languages)and make the ISP understand that the phishing attack may haveincluded a copyright violation. He said ISPs are faster to act if acopyright violation has occurred. He recalled an attack on StateEmployees CU of N.C. that had SECU working for five days on takingdown the site - Cyota helped shut it down in less than an hourthrough an ISP contact. "It helps to know people at the ISPs. Insome cases it requires evidence showing it's a real attack," saidOrad. He said Cyota also goes the legal route in which electronicforensics is very important, but the ISPs can provide fasterrelief. In addition to taking down a site they host, ISPs can alsoput blocks on spoofed sites for their customers. So AOL for examplecan block all of its users from getting access to a spoofed site.Cyota has relationships with two of the largest ISPs, AOL andEarthlink. In its risk alert, NCUA reminded CUs of the availabilityof a phishing brochure available for download at NCUA's site(www.ncua.gov) that informs members about the dangers of phishing.NCUA said CUs can use the brochure in mailings to members. Oradbelieves the attacks against CUs will continue. "It's getting morewidespread. There's been a migration from attacks on the largecommercial banks to regional banks and credit unions," said Orad.(See chart for increase in attacks.) So what should CUs be doing?Orad said protecting against phishing runs contrary to thephilosophy many credit union IT security professionals have beenusing to protect their systems. Orad said it's no longer goodenough to tighten up the CU's internal systems, CUs must lookoutside their systems. Cyota scans the net all day, scanningbillions of e-mails from its ISP partners, looking for suspiciouse-mails specific to financial institutions and phishing. Once itidentifies a credible attack, it works to shut it down no matterwhat time zone or what time of day it is. "For each attack we doforensic work to try and uncover some of the stolen data, asevidence that we can use in court. The reason that is so importantis sometimes to get law enforcement to engage you need to show themit is a severe attack," said Orad. Cyota has helped shut down sitesin 65 countries. Orad said one of the best defenses CUs canimplement is something Cyota calls risk-based authentication. Inother words, change the level of authentication for a member basedon the risk of the transaction. "If we see a transaction comingfrom Italy and you've never been to Italy, we'll want to call theconsumer in real time to confirm they are trying to do atransaction online," said Orad. Other techniques include having aquestion pop up that asks the member the model of the first car,for example. However, Orad said there is a very fine line creditunions have to walk with phishing. If they are constantly tellingmembers to be wary of phishing, especially when using the CU'ssystems, it could turn off some members from using online servicesaltogether. That same philosophy goes for the risk-basedauthentication. "One option would be to call everyone, but if youmake it too secure, members might not think it's worth it," saidOrad. Orad said based on Cyota's experience, about every six monthsthe bad guys come up with new techniques for phishing and onlinefraud. He said phishing is a volume game because about 2 to 3% ofpeople that get phished fall victim to it. Cyota, based in NewYork, has 120 employees and serves large banks such as Bank ofAmerica, Chase and others. It also has a growing list of large CUclients, many of which the company can not yet announce. It doesserve the tech-savvy Pennsylvania State Employees CU withanti-phishing services. At press time, NCUA said it has yet tocontract with a third party to help fight [email protected]