On the Front Line

Few security professionals if any would dispute that organizations are in a constant battle, defending their information systems form attack. The number of new computer system threats increased by nearly 570% from those identified in 2006. According to one 2007 computer security study, the average annual loss reported by U.S. companies increased by nearly 210% to $350,424 (per event) in 2007. The top three primary sources of loss were financial fraud, losses due to computer virus and system penetration by outsiders. About 20% of the companies reporting security incidents said they have fallen victim to targeted malware attacks. If that is not bad enough, there are nearly 1.2 million different pieces of malware that have been identified and reside in the malware repository. Malware is the general expression used by computer professionals that represents a variety of forms of hostile, destructive, intrusive, or annoying software. The bad news is malware is just one of the many threats to computers, systems and networks.

 

Phishing e-mails are another type of computer attack. While it is an indirect attack, phishing is perhaps the most prevalent security threat we face today. Financial services companies remain the most frequent targets of phishing schemes. The volume of junk e-mail (phishing, spam, virus, fraud, directory harvest, and denial of service e-mail) is now at a highest level in history. According to multiple reports, junk e-mail now accounts for nearly 97 percent of all e-mail traffic.

 

Fact:    In the first 12 hours of July 1st, 2008 there were 36 new phishing schemes identified.

 

Phishing schemes are getting better all the time and the sophistication and relevancy factors of the attacks continue to shock and amaze security professionals. The perpetrators analyze human behaviors and hit their targets precisely at the right moment and maximize their chances of success. In a recent phishing attack it became evident that our call center personnel need training to better recognize phishing attacks and escalate the calls to catch the schemes early on.

 

Losses equated to phishing schemes are on the rise. Between 2005 and 2006 losses quintupled to more than $2.8 billion with an average loss of $1,244 per victim. Adults with incomes above $100,000 lost on average $4,362, almost four times as much as other victims. Those numbers continue to climb and estimates for 2008 suggest the average loss is now near $3,100 and high net worth individuals exceeds $6,800 per victim. What is not accounted for in these numbers in the loss of customers due to frustration and the damage to the organization’s brand that is being spoofed.

 

FACT: In the month of June, Technolytics identified 71 phishing e-mails in one user’s account.

 

Summary Case Study — On Tue 06/24/2008 03:32 pm an individual received an e-mail from a company they had done business with for over five years. The e-mail is copied below.

 

 

 

 

 

The intended victim recognized that the credit card used on the account was not due to expire for another year. We called the company being spoofed and after several minutes of waiting on hold, we talked to the first customer service representative. After about three minutes, the CSR (News - Alert) could not determine if nor why an AutoPay e-mail was sent. The CSR attempted to brush it off as just an error that had occurred. At our direction the account holder requested to speak to a supervisor. After another four minutes on hold the supervisor came on the line. The situation was reviewed and we instructed the account holder to tell the supervisor to check with security this looked like a phishing e-mail scam. The supervisor agreed to do so. Two days later the supervisor called back and asked the account holder to send the email they received to their security operations center and provided the e-mail address. The supervisor went on to say that security had told her it sounded like a phishing/fraud scheme and to get all the information she could and forward it to security. From the time of the first call until the e-mail was requested was 57 hours.

 

Three critical learnings came out of this event. First of all if the account holder did not push the issue, security would never have been alerted to the event. Secondly, the time from identification to when security got the information (57 hours) created the potential for an incalculable number of account holders to fall victim to the scheme. The third and most important learning was that the Call Center staff is on the front line when it comes to early detection and intervention on phishing attacks that are impacting their customers. We conducted a rapid assessment of this issue within call center management and were unable to find any of the call center staff being trained on security or more specifically phishing attacks.

 

There are an estimated 50,000 call centers in the United States employing over 2.5 million people, and the global marketplace is huge. Educating the customer service representatives in the area of security in general and phishing attacks is now a critical component in enterprise risk management. Failure to address security training for call center staff will allow the financial losses to continue and the number of customers leaving due to phishing attacks on the rise. In retrospect, we have not learned much since the two and one half year “phone freaking / hacking” spree of Kevin Mitnick a decade ago. Security is as much about people as it is about technology. It is high time we invest in the people side of security and update our people’s knowledge and security awareness.

 

-----