Credit union thwarts phishers and reveals how

Banks are notoriously tight-lipped about their efforts to fight fraud.

It's a curious trait because savvy criminals know what banks do to protect information, but customers do not.

Officials at Washington State Employees Credit Union, however, decided to explain how they successfully fought a recent phishing expedition.

Phishing is lingo for e-mails sent to consumers that appear to come from legitimate sources seeking financial information, such as credit-card numbers.

More identity fraud stems from stolen paper mail than from phishing, according to Javelin Strategy & Research, a research and consulting firm in Pleasanton, Calif. Still, phishing is lucrative enough that criminals keep doing it.

The credit union, based in Olympia, learned that its members were being phished in September when it was forwarded a phishing e-mail that linked it to a bogus Web site.

Credit-union officials bombarded the fake site with bad debit-card numbers, hoping that the criminals would be overwhelmed and unable to distinguish between those card numbers and any real ones members might provide.

Phishy e-mail


A few pointers for distinguishing between real and fraudulent e-mail from a financial institution.

Banks don't send e-mails requesting information. That includes debit or credit-card numbers, Social Security numbers, login or password information.

Bank e-mails don't link to Web sites asking for information. Same principle, but a little trickier. Often the fraudulent site looks like the institution's Web site. The difference might be a Web address with the numeral "1" instead of a lower-case "l."

Contact the bank directly. Always use the Web address you know belongs to your financial institution, not one found in an e-mail link.

Look for typos. Phishers can't spell. It's not the best way to determine whether an e-mail is truly from your bank, but if you see a typo, you can be fairly certain that your bank didn't send that e-mail.

They also contacted the Internet service provider in Lithuania that was hosting the fake site.

It took a day and a half to shut down the fake site, faster than average for phishing incidents.

Finding an ISP is fairly easy, but it takes time to contact ISP workers in another country and explain that phishing is criminal behavior. The ISPs are not the criminals, just the services used to set up bogus Web sites.

The Lithuanian ISP knew what phishing was, said Walter Cunningham, assistant vice president of information technology at Washington State Employees Credit Union. But that was not the case in May, the first time criminals phished for data from credit-union members. Then the ISP was in Sweden.

"They didn't understand phishing, so we took the angle of 'stealing,' " Cunningham said.

No one lost money in either incident.

In the first case, credit-union officials were tipped off when criminals tried to use a bad debit-card number at an ATM in Romania. The credit union could do little besides report it to the Federal Bureau of Investigation.

In the second incident, one member gave his information to the fake site, but as far as credit-union officials could tell, no one tried to use it.

That member realized he had been phished after the fraudulent site stopped asking for data and landed him at the credit union's legitimate Web site. Officials there considered it lucky that the bogus site sent people to them, because they were able to post a warning.

Even if only one or two members might be caught by a phishing scam, credit-union spokeswoman Ann Flannigan said, "we're going to do our best to minimize the impact."

Melissa Allison: 206-464-3312 or mallison@seattletimes.com