Financial Institutions: Fight Back Against Unwanted Email
Financial institutions receive email from a wide variety of sources, and like other companies they’re facing the unwanted solicitation emails that range from replica watches to penny stock offerings. The employees at financial institutions are also faced with these emails that make it past filters and into their inboxes. It’s not just a strain on the email servers, but it also takes time from a productive day to go through these emails.
In the past, financial institutions have followed the technology solutions of spam filters to detect and stop these types of emails from entering their networks. They also encouraged their staff to ignore or delete these emails. This is not the way to fight spam effectively, said Garth Bruen, an information security professional who started the KnujOn project, a web-based service that targets email-borne electronic fraud attempts by collecting junk mail from clients and processing them through the project’s policy enforcement engine. To date it has shut down more than 22,000 spam-related websites. Bruen’s work gained the attention of internet crime investigators and he works with CastleCops and other anti-spam organizations.
According to Bruen, what does not work against spam: “Ignoring the problem. Email users have been told for several years now to delete and ignore junk mail. Ignoring a problem does not help us understand it or figure out a way to fight it.â€
He also included in what isn’t working: Using email filters. “This is simply a ‘high tech’ way of ignoring the problem. Depending solely on technology to solve the spam problem, it’s a bad assumption,†he said.
“Using technology only to solve the spam problem is like driving a car with air bags and seat belts. Just because they’re there that doesn’t mean we close our eyes and let the car drive itself. You still have to depend on human interaction to help solve these problems. If you think that securing your web site and installing spam filters is going to make the problem go away, you’re sadly mistaken. These spammers are very smart, and they will figure out a way to get to the customer if they can’t get to the account, or a way to get to the employee in order to get to the account.
Presented with the increased challenges of more sophisticated spam filters, phishers have developed even more sophisticated methods for reaching victims, as we’ve seen with the increase of spam, including the image-based spam influx earlier this year,†he noted.
Treating the problem as an “annoyance†and not a crime, is something that must change, Bruen explained. “Financial institutions need to rethink this approach. If someone came into your institution waving a gun demanding money, you would not think of that as an annoyance. However, when someone tries to enter your network via a spam email and break into an account, and steal money, they’re looked at as an annoyance. Even though, an online hacker who gets a Trojan horse downloaded onto a PC via a spam email can get away with more money than a traditional bank robber with a gun,†he said.
Bruen sees hiding the report interface on institution’s website as a bad move. “At some point financial institutions started openly accepting phish reports, but many institutions have buried this information on their website and made their own customers jump through several hoops in order to report the fraud. This keeps financial institutions from knowing when they’re being attacked. The most important thing to do is partner with their customers to report these emails,†Bruen noted.
What financial institutions should do, “Customer service staff needs to explain to new customers (and current customers) what the electronic security procedures are and what the customers’ responsibility is and where they can report potential fraud,†he added.
Here are some of the things Bruen sees working in the fight against the spam and phishing scams, “Discussing the problem in open forums. Institutions may be under the impression that if they talk about fraud and security issues, they expose themselves to attack. In fact, the criminals are hoping that banks do not talk to each other and continue to deal with phishing in isolation. The phishers and spammers are talking to each other, they are organized, and we’re not. The spammers are extremely organized, complete with online training classes where veteran spammers train new spammers in techniques and tricks. They’re out there renting out botnets. There are a good number of phishers who just phish for new victims and then hold the information out for the highest bidder.â€
“Reporting fraud works. I can’t stress this enough. The Securities and Exchange Commission (SEC) has suspended trading of stocks featured in spam and frozen assets of those profiting from market manipulation. The CastleCops’ Phishing Incident Reporting and Termination (PIRT) project has shut down thousands of fake bank websites. The Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) have issued millions of dollars in fines for unwanted faxes. Knujon has shutdown more than 22,000 spam websites. Every single one of these success happened because people took the time to report,†he said.
Cooperating with Law Enforcement is something that Bruen also recommends. “It is the policy of many institutions to internally handle all security breaches that are not armed robbery. Ironically, armed bank robbers don’t get that much money and are almost always caught. More sophisticated bank theft goes unreported, embezzlers are quietly terminated. Bankers may believe that making this information public hurts their reputation with customers or shareholders, but not reporting it deprives the FBI of crucial information they need to connect the dots between crimes at multiple institutions,†Bruen noted. “The best and biggest example I will point to is the TJX breach which was kept quiet for a considerable amount of time. During that time a lot of credit card accounts and money were stolen. If it was reported to law enforcement earlier, it could have been stopped more quickly,†he concluded.