WEST PALM BEACH, Fla. – As e-mail and instant messaging becomemore pervasive credit-union communication tools, so, too, haveconcerns for securing electronic transmissions between the creditunion and its members and business partners. Credit unions havebecome popular phishing targets, proving phishers don't just targetthe largest institutions. “Phishing attempts have been wildlysuccessful at larger banks,” said Joel Smith, CTO of AppRiver, ane-mail security service company in Gulf Breeze, Fla. “They snarequite a few victims. Now phishers are turning their sights on thecredit unions and smaller regional banks. Now what we're seeing isthey're targeting a large employer in an area – say, a governmentemployer or large company – and then try to get those e-mailaddresses from that employer – say, search for them on the Web site– and go out and impersonate that employer's credit union.” Smithsees such phishing schemes as brand theft, pure and simple. Withtax season almost here, he said, “The next big thing – we'restarting to see it now – is IRS impersonation.” A number ofsecurity industry professionals take the Occam's Razor approach toe-mail security, saying that the most effective first step is alsothe simplest: have a clear policy on what the credit union will andwill not put in an e-mail and then educate employees and members.“Policies have been implemented and changed to reduce or eliminatemarketing e-mails, to stay away from heavily graphical e-mails thatlook marketing related,” said Kelly Dowell, executive director ofthe Credit Union Information Security Professionals Association inAustin, Texas. “A lot are sticking to strictly text. They're notasking for information. It's more informative. If there is anyconfidential information they need or that they need to share, alot of them have started to put that on the member's account withinthe Web banking site and direct the member by e-mail to that.”Smith also recommends publishing a sender policy framework, wherethe credit union lists the servers allowed to send e-mail on itsbehalf. Still, human fallibility needs to be taken into account,said Tom Giangreco, information security officer, Orange CountyTeachers Federal Credit Union, Tustin, Calif., which has more than308,500 members. For that, the answer is a network monitoringproduct designed to audit network traffic. “We're using a productfrom Intrusion called Compliance Commander,” Giangreco said. “Itmonitors all our traffic leaving over the Internet, e-mail or anyform. It looks for actual member data, a member Social Securitynumber, not just something that looks like a Social Securitynumber. It then alerts us and we can take appropriate action.” TheIntrusion system is just one of several levels in Orange CountyTeachers' security plan. Another critical component is an externale-mail security service. “We have gotten e-mail viruses where thee-mail pretends to come from our internal administrators or fromour management going to our members informing them of something orother and they have to click on some link,” said Giangreco. “We'vemanaged to filter most of that out. We use Postini, a third-partye-mail handler. All the e-mail that comes to us actually goes tothem first. They filter it for spam and viruses. They block closeto 100,000 e-mails a month. We, of course, continue to filter itand check for viruses as well at a couple of different levels. Butthey're our first level of defense. We've escaped any kind ofinfection at this point. I'm a strong believer in multiple layersof defense.” An area still to be addressed in many credit unions isinstant messaging, in part because it still tends to be donethrough consumer-grade services such as AOL, MSN, and Yahoo, withlittle oversight from the IT staff. “Those tools, while they arevery useful, represent a potential breach of security, because theydon't have any native security built into them,” said MichaelOsterman, president of Osterman Research and an analyst who trackselectronic messaging. “Credit unions either have to lock down theuse of instant messaging or provide capabilities that will allowthat messaging to be sent securely.” There also are concerns withauditing, logging, and archiving, particularly if credit unionservices extend into areas that require preservation ofcommunications. Namespace control also figures in: a business needsto control the screen name an employee uses and needs to be able tocut off use of that screen name should the employee leave. Thereare two solutions. One is to add capabilities to the network tomonitor and, when necessary, intercept traffic. The second is todeploy an enterprise-grade instant messaging system, such as LotusSametime or Novell GroupWise Messenger. Still, there are instanceswhen a credit union needs to transmit confidential data – forexample, to third-party vendors. “We're working on that now,” saidGiangreco. “We're looking at encrypted e-mail applications. Youcan't just tell people that they can't communicate anymore. Youhave to have some alternative. Encrypted applications are startingto come online a little more and are becoming more user friendlyand transparent.” All the battening down may prove to be adeterrent, according to Osterman. “I think things are looking up abit,” he said. “In July of 2004 spam hit as high as 95% of alle-mail. Now it represents on the order of 70%. Viruses are still asbad a problem as they always have been, though we haven't had anymajor outbreaks in the last few months. But that could alwayschange.”