Two years ago, Washington Mutual says, it was a popular target of phishers—scam artists who send e-mails to the Seattle-based bank’s customers to entice them to give up their account information online. But now, according to the bank, a series of new security measures are giving phishers less of a return, and their numbers have declined.
Dave Cullinane, WaMu’s chief information security officer, says that for the last two years the bank has been working hard to fight phishers’ work, and he vows that WaMu won’t let up.
Phishing overall is up dramatically, according to a couple of recent reports. Symantec’s Internet Threat Center reports an 81% increase in unique phishing messages in the first half of 2006 compared to 2005; the Association for
Payment Clearing Services reports a sixteenfold increase in phishing incidents.
Thieves keep getting more sophisticated in how they design e-mails and how quickly they can break security, Cullinane says. Customers don’t read e-mails carefully before they click on links, yet security breaches upset them. He figures that each customer who leaves WaMu after a breach or even the perception of a breach costs the bank about $650 in lost revenue.
So, WaMu took several steps to improve its own security, change the way it worked with customers, and share information with law enforcement and the financial services industry so that phishers would be less successful. Here is his advice for other chief security officers on how to fight phishing, based on his own experience, which he shared at a recent symposium on identity theft in San Francisco.
Base your hardware and software on standard security controls approved by the National Institute of Standards and Technology (NIST). These make it easier to use new automated scanning tools, from vendors such as Qualys, that test for those standards and can tell you quickly if you have new exploits or unpatched old ones.
Share information. Cullinane keeps in touch with several industry groups—the Anti-Phishing Working Group, the Identity Theft Technology Council, BITS Financial Services Roundtable, and the Alliance for Enterprise Security Risk Management, among others—for news and trends. He serves as international president of the Information Systems Security Association (ISSA).
Make sure you’re rewarding the right behavior on your staff. When Cullinane arrived at WaMu, he thought it odd that four business units reported insecure systems during a bank audit. He found that workers were fired for missing project deadlines but not for skimping on security to meet those deadlines. That’s no longer true. WaMu revised its software development life cycle so that gateways for security were included from the beginning, not when the auditors happened to find out they were missing. Security is now a bankwide concern.
Learn to work with law enforcement. (In WaMu’s case, that’s the state of Washington’s Attorney General and the local Secret Service office, where banks are supposed to report incidents before they call the FBI.) Law enforcement is reluctant to help companies if losses are below a certain dollar amount, Cullinane says, so help them group incidents and discover patterns so they can solve more crimes and raise the risk of theft. Make sure members of both your information-technology team and your fraud team (who may not be technically savvy) are involved.
Don’t make your customers feel bad when they fall for phishing scams. They are already embarrassed and may be reluctant to talk about it. WaMu employees will call customers if it looks like they’ve been phished, and are trained to gently elicit information and put fraud watch controls on their accounts. An internal phishing Web site gives all employees, from the CEO on down, the information they need to answer questions about scams.
As Cullinane puts it: “We wanted to make customers feel more comfortable.”
