California CU's Proactive Approach to Combat Phishing
By Roy Urrico
Hackers continue to find ways to outsmart companies in all industries. One of the ways they attempt to infiltrate financial databases is through phishing emails. Given this year’s COVID-19 challenges, it has become especially important for credit unions to protect themselves from phishing attacks by educating staff to recognize how fraudsters unleash these scams.
The $2.7 billion Santa Ana, Calif.-based Orange County’s Credit Union acknowledged this problem and implemented a training system for their associates so every team knew about phishing and understood how to respond to the attacks. This method has proven successful, and, according to the credit union, not only decreased their internal failure rate by over 2%, but put them well below the industry failure standard.
“Today, one of the most important ways to combat phishing is through training. Hackers understand that people are the easiest way to get into a network. So, at Orange County’s Credit Union we have a comprehensive associate security training program,” said cybersecurity expert Kevin Hill, an information security expert at Orange County’s Credit Union.
Hill shed light on what steps the Orange County’s Credit Union team took to combat phishing emails, tips on how to train associates to spot phishing emails and other cybersecurity measures that credit unions need to implement.
Phishing attacks use social engineering tactics in emails and SMS messages to convince people to click on links and attachments, which direct the unsuspecting recipients to a bogus website or download malware onto their device. The fraudsters seek personal or business information such as passwords or financial information, or to bait the phishing victims into executing specific tasks such as downloading malware or completing a wire transfer. In addition, spear phishing schemes, which target specific individual, organizations or businesses, continue to evolve more sophisticated attacks that pose a danger.
The threats are very real:
· In late-March, the FBI’s Internet Crime Complaint Center (IC3) warned of a series of phishing attacks delivering spam using fake government economic stimulus checks as a lure to steal personal information from victims. Then in April, the IC3 issued a public service announcement about attacks exploiting the increased usage of online communication platforms for remote working and distance learning. The FBI mentioned over 1,200 complaints related to COVID-19 scams received and reviewed in less than a month, with threat actors engaging in phishing campaigns to launch distributed denial of service attacks and deploy ransomware and other malware.
· According to the Anti-Phishing Working Group’s Phishing Activity Trends Report for the second quarter of 2020, the first half of the year saw 146,994 reported phishing attacks. Although this is an 11% reduction from 2019, which had 165, 772 attacks in the same period, it is still among the highest figures seen in recent years.
· In July 2020, risk solution provider Kroll detected a 22% upsurge in attacks targeting the financial services sector based on its incident response cases. Business email compromise (BEC), fraud and ransomware — all often aided by phishing schemes — were the top three threats impacting the industry, and Kroll witnessed the number of incidents steadily rise amidst the COVID-19 crisis.
Orange County’s Credit Union takes a layered security approach to protect member information, associates and systems, and to prevent any gaps or flaws in the process. “Some of those layers consist of an email filtering system, an anti-malware system, and a monitoring system that looks for application, user, and network behavior that is out of the ordinary or destine for known malicious sites,” Hill said. He indicated the credit union has many other controls in place, but in the interest of member’s security, he did not go into more detail.
Training to Avoid Problems
As part of the team’s training program they regularly conduct phishing email tests mimicking real situations and teach associates how to spot them.
Hill provided guidance to other organizations-based Orange County’s Credit Union experience. “Test often and use real world examples for the tests. If associates fail to recognize the phishing email, then it directs them to a training page that walks them through how to spot phishing emails.” He added, “This method keeps the training material fresh, shows real world examples of phishing emails, and holds them accountable for learning the material.”
Accountability is a key component, Hill noted, and is accomplishable by linking test results to performance reviews in a constructive way. Also, he said: Do not underestimate team members. “If you are using a system or vendor to test, turn up the difficulty and the results may surprise you. It may take a week or two for them to adjust, but they will start to pick up on the clues pretty quick.”
Hill also suggested credit unions set up a method for associates to report potential phishing emails. “This may require more effort on the part of the security team but gives another one-on-one opportunity to teach the team how to spot phishing emails.” An additional benefit is that reported emails can act as an early warning system for spear phishing campaigns.
“Talk to them regularly and in a variety of ways – in person meetings, email updates and talking to them one-on-one. As you monitor for threats and come across issues, reach out to confirm details, even if you already know what happened,” Hill maintained. This approach encourages associates to be involved in the process, creates an opportunity for training, and lets them know that they are a critical part of the security team.
“Orange County’s Credit Union has integrated many aspects of our technology and security ecosystem in a way that allows us to understand risk throughout the environment and address current and potential threats,” Hill said. In addition, the credit union’s system integrations have helped the credit union become more efficient in its daily security operations (SecOps) tasks, which frees up resources to make improvements to the overall security program.