The lab referred to the hack as a "sophisticated" attack, similar to the advanced persistent threat that in March hit RSA. Fifty-seven employees reportedly fell victim.
The lesson here: Spear phishing is quickly emerging as one of the cyberworld's greatest threats. On the heels of the highly publicized Epsilon e-mail breach, which is known to have affected more than 100 companies and brands, the Oak Ridge incident proves e-mail security risks far exceed what most industries are prepared to handle, says Neal O'Farrell, executive director of the Identity Theft Council, a grassroots support network for victims of identity theft. The council, established in late 2010, comprises a national network of partnerships between local law enforcement, financial institutions, businesses and volunteers. "I got calls from a number of credit unions after the Oak Ridge incident asking for my advice," O'Farrell says. "They obviously have not been affected by the breach, but with so many breaches coming to light, they have concerns about their own security and the security of their members." And the concern is real, O'Farrell says. "We have to acknowledge that no amount of technology is going to solve this problem," he says. "We really have to get back to the notion that consumers have to be vigilant before they click on a link. After you click, it's too late."
Practice What is PreachedCustomer awareness is the best line of defense. Many institutions talk about education, but don't do it, O'Farrell says. "Most don't send out tips, a letter, a piece of advice, anything," he says. "The phishing only works if the consumer participates; they have to click on something; they have to open something. So, based on that assumption, shouldn't we be doing more to educate them?"
The link between identity theft and phishing attacks is concerning, and should make consumer education more of a priority. In fact, the Federal Financial Institutions Examination Council, in the draft of its new online authentication guidance, includes specific recommendations for more customer and member education efforts. "Most of the phishing I've seen recently has been focused on credential ID theft, since it's the most profitable. That should be concerning to financial institutions."
ID theft is the primary reason for any phishing attack, especially a targeted attack. More education about ID theft and precautions consumers should take is not a banking institution's obligation, O'Farrell says. But institutions have an opportunity to improve their relationship with consumers by offering advice.
Besides, banking institutions are poised to fill a void, since consumer education and support after incidents of ID theft is lacking, O'Farrell says. "Victims have been abandoned by law enforcement and financial institutions, and we see that many consumers are not educated," he says. "They are carrying their Social Security cards in their wallets, they use 'password' as a password for online banking. It's really a problem."
Some institutions are using phishing and ID theft education as a way to better connect with customers and members - an effort O'Farrell and his council encourage. He says credit unions have historically done better jobs than banks when it comes to connecting with members about the link between phishing attacks and ID theft.
"In the last couple of years, I've seen credit unions doing more to educate their members about phishing attacks," he says. "I see it more on the credit union side than the bank side. I think credit unions have realized that security can be a competitive advantage for them, and they are increasingly turning toward security as a marketing tool."