PSECU Launches Anti-Phishing Solution in Use at Big Banks

HARRISBURG, Pa. – As phishers and other fraudsters “move downstream,” Pennsylvania State Employees Credit Union will be ready with its virtual net. The $2.3 billion CU has signed on with Cyota Inc. to use FraudAction, the New York City-based firm’s anti-phishing solution. Cyota boasts a client list that includes eight of the world’s largest 12 banks, as well as America Online, and its president says his company’s business has broadened its focus to smaller financial institutions, too, as phishers find the going tougher against big institutions more able to defend themselves and their customers. “We have more than 10,000 financial institutions using our products, including many, many credit unions, and that number has been growing fast as the attacks move downstream,” says Naftali Bennett, CEO of Cyota (www.cyota.com). PSECU went live with its system in mid-March, following a couple weeks of conference calls, testing of encrypted e-mails for alerts and training. “We haven’t seen any attacks against us, but we wanted to be proactive in our defense,” says Kevin Doyle, information security manager at PSECU (www.psecu.com). “We know these things are moving downstream. The NCUA was recently a target itself, for instance.” FraudAction is part of Cyota’s suite of online security services, which includes a brand-new solution named eSphinx, an authentication service that assesses the risk level of each transaction and other activities in real time, based on factors derived from years of working with its wide range of clients. Problems are met with responses that can escalate from automated challenges for additional information to blocking the transaction and calling the account holder by telephone. Cyota bills FraudAction as the industry’s first such solution, introduced in 2003 when phishing was hardly a household word. Bennett says the company now is finding that serving big banks and small credit unions are two different propositions. “The big organizations we serve typically have incident response teams as well as a lot of other resources you wouldn’t expect credit unions to have,” the Cyota CEO says. “They expect us to guide them a lot more, the learning curve is larger, and basically the message is, `OK, Cyota guys, do the whole thing and just let us sleep at night.” That’s just what the company tries to do, Bennett says, with its Anti-Fraud Command Center, staffed 7/24 by a group of 30 analysts. Their specialty is thwarting phishing attacks and Bennett says without hesitation, “When one is launched, we’re the first in the world to know. We’ve collaborated with AOL and several other major anti-spam and ISP companies and developed our own network, and every day we scan roughly a billion e-mails for phishing attack sin real time.” When a potential attack is noted, the institution is notified, as is the ISP hosting the apparent phisher and the arduous process of shutting down a site begins, which often involves translators working through “a very long and frustrating spiel,” Bennett says. “We’ve reduced the time span of a typical phishing attack from six days to five hours,” he adds. Cyota also turns the tables on the attackers, feeding their spoof sites phony user names, passwords, account numbers and more. Noting organized crime’s alleged interest in the identity theft business, Bennett says, “A fraudster may obtain 500 credentials not knowing that maybe only 15 are valid. That’s a very low-grade reward and when he sells them to Tony Soprano, well, Tony gets angry.” -