Security Case: Washington Mutual Gets a Line on Phishing

By Deborah Gage Print this article Print

Washington Mutual installed stringent measures to combat phishers at the bank. Here, WaMu's information security chief offers 5 tips to help deal with the problem.

Two years ago, Washington Mutual says, it was a popular target of phishers—scam artists who send e-mails to the Seattle-based bank's customers to entice them to give up their account information online. But now, according to the bank, a series of new security measures are giving phishers less of a return, and their numbers have declined.

Dave Cullinane, WaMu's chief information security officer, says that for the last two years the bank has been working hard to fight phishers' work, and he vows that WaMu won't let up.

Phishing overall is up dramatically, according to a couple of recent reports. Symantec's Internet Threat Center reports an 81% increase in unique phishing messages in the first half of 2006 compared to 2005; the Association for

Payment Clearing Services reports a sixteenfold increase in phishing incidents.

Thieves keep getting more sophisticated in how they design e-mails and how quickly they can break security, Cullinane says. Customers don't read e-mails carefully before they click on links, yet security breaches upset them. He figures that each customer who leaves WaMu after a breach or even the perception of a breach costs the bank about $650 in lost revenue.

So, WaMu took several steps to improve its own security, change the way it worked with customers, and share information with law enforcement and the financial services industry so that phishers would be less successful. Here is his advice for other chief security officers on how to fight phishing, based on his own experience, which he shared at a recent symposium on identity theft in San Francisco.

Base your hardware and software on standard security controls approved by the National Institute of Standards and Technology (NIST). These make it easier to use new automated scanning tools, from vendors such as Qualys, that test for those standards and can tell you quickly if you have new exploits or unpatched old ones.

Share information. Cullinane keeps in touch with several industry groups—the Anti-Phishing Working Group, the Identity Theft Technology Council, BITS Financial Services Roundtable, and the Alliance for Enterprise Security Risk Management, among others—for news and trends. He serves as international president of the Information Systems Security Association (ISSA).

Make sure you're rewarding the right behavior on your staff. When Cullinane arrived at WaMu, he thought it odd that four business units reported insecure systems during a bank audit. He found that workers were fired for missing project deadlines but not for skimping on security to meet those deadlines. That's no longer true. WaMu revised its software development life cycle so that gateways for security were included from the beginning, not when the auditors happened to find out they were missing. Security is now a bankwide concern.

Learn to work with law enforcement. (In WaMu's case, that's the state of Washington's Attorney General and the local Secret Service office, where banks are supposed to report incidents before they call the FBI.) Law enforcement is reluctant to help companies if losses are below a certain dollar amount, Cullinane says, so help them group incidents and discover patterns so they can solve more crimes and raise the risk of theft. Make sure members of both your information-technology team and your fraud team (who may not be technically savvy) are involved.

Don't make your customers feel bad when they fall for phishing scams. They are already embarrassed and may be reluctant to talk about it. WaMu employees will call customers if it looks like they've been phished, and are trained to gently elicit information and put fraud watch controls on their accounts. An internal phishing Web site gives all employees, from the CEO on down, the information they need to answer questions about scams.

As Cullinane puts it: "We wanted to make customers feel more comfortable."

This article was originally published on 2006-12-21
Senior Writer
Based in Silicon Valley, Debbie was a founding member of Ziff Davis Media's Sm@rt Partner, where she developed investigative projects and wrote a column on start-ups. She has covered the high-tech industry since 1994 and has also worked for Minnesota Public Radio, covering state politics. She has written freelance op-ed pieces on public education for the San Jose Mercury News, and has also won several national awards for her work co-producing a documentary. She has a B.A. from Minnesota State University.

eWeek eWeek

Have the latest technology news and resources emailed to you everyday.