The RSA Anti-Fraud Command Center’s (AFCC) 6-page “2008 Phishing Trends Report” is quick read and its content should be part of every financial services CISO’s elevator speech about current threats.
The RSA AFCC is a 24×7 organization that attempts to detect, monitor, track and shut down phishing, pharming and Trojan attacks against more than 300 institutions worldwide.
I’ll try to summarize the report:
Online fraud continues to evolve. Phishing and pharming remain a leading expression of sophisticated, organized and innovative tech-rich crime waves faced by online businesses. New tools help criminals adapt more rapidly than ever. [page 1]
In 2008, the RSA AFCC detected 135,426 phishing attacks in 2008 compared to just over 90,000 in 2007 — a 66% increase. [pages 1-2]
Financial brands within the U.S. suffered 68% of the total number of brand attacks, ten times higher than the number of brands attacked within the U.K. – which ranked a distant second on the list. The rate of attacks against brands within every other country on the list fell between 1% and 6% of the total amount. The financial services industry was the most targeted industry by far in 2008. [page 2]
Although the number of attacked brands in the U.S. was far higher than others, the U.K. led in terms of total volume of attacks because of numerous attacks against a small number of U.K. financial institutions during 2008. Phishing attacks in Latin America and Asia Pacific countries also supplied a material portion of the overall number of phishing attacks. [page 3]
The RSA AFCC reported that their monitoring found that the number of financial institutions and other brands attacked varied from a low of 167 in October to a high of 225 in April 2008. Across the year, AFCC monitoring identified an average number of 194 brands were attacked each month. [page 4]
62% of these attacks were sourced from the United States. The U.S. was followed by France (9%), South Korea (6%), Germany (5%), and then U.K., China, Pakistan, Canada, & Russia all at approximately 3% each. [page 5]
The distribution of attacks against nationwide banks, regional banks, and credit unions in the U.S. changed throughout the year. The distribution was 26%, 29%, and 45% respectively in January. It had changed to 23%, 57%, and 20% respectively by December. [page 6]
Everyone in financial services organizations needs to be trained, and to understand that they must not click, or open anything unexpected, or anything that does not meet their understanding of “normal.” For many of us, the threat is great enough that we employ sophisticated, multi-layered, email analysis and “sanitizing” infrastructure. Some also use external (cloud) services to help reduce phishing threats directed against a corporate workforce and it leaders.
But what about our customers and partners? There is still a lot of room for positive evolution there. I am a customer of a financial services empire that promises never to send links or requests for personal or account information via email. That may significantly simplify the customer equation, criminals still find ways to game them. The “no links” approach will not work for every corporation. I am curious to learn what has been working for you?
— References —
“2008 Phishing Trends Report” by the RSA Anti-Fraud Command Center: http://www.rsa.com/solutions/consumer_authentication/intelreport/FRARPT_DS_1208.pdf
“Invisible, hi-tech crime world of fraudsters.” http://news.ciol.com/News/News-Reports/Invisible,-hi-tech-crime-world-of-fraudsters/6309116924/0/