Credit Union Stops Barrage of Spoofing Attacks by 99.7%

CASE STUDY Credit Union Stops Barrage of Spoofing Attacks by 99.7%

Large Credit Union uses Agari Brand Protection™ to Stop Email Scammers at the Front Door

Executive Summary Company Snapshot Los Angeles Federal Credit Union was in the cross-hairs of email Industry scammers. Its brand was constantly being spoofed, putting its Credit Union/Financial Services members at risk of being defrauded. The CTO prioritized email security as part of his broader risk management strategy, and Challenges Brand domain abuse, including selected Agari as his partner. That was more than eight years ago. brand spoofing and executive Today, domain spoofing is at near zero. impersonation

Solution Our initial goal was to reduce phishing Agari Brand Protection™ attacks down to the annoyance level, but Results working with Agari, we’ve eradicated it. 99.7 percent of emails are legitimate; 95 percent reduction And that allows me to focus on other in phishing attacks strategic areas of my risk management strategy.

1 | www.agari.com Example of a fake website, spoofing the Los Angeles Federal Credit Union brand.

A question we often ask CISOs is: What was the phishing attacks against our brand – fake websites compelling event that led you to prioritize your email and emails,” he said. “We were constantly getting security strategy? While the details vary, a constant phished and our brand was being compromised. theme exists and revolves around the fact that bad We were trying to make it more difficult for the actors continue to bombard companies with phishing scammers to attack our brand, and they were attacks and brand hijacking. Brian Todd, CTO at Los constantly coming up with new attacks. It had Angeles Federal Credit Union, didn’t pause when we become an unsustainable game of whack-a-mole.” posed the question to him. “We were getting a lot of

2 | www.agari.com And then in 2012, a crucible befell the company. Los Angeles Federal Credit Union began working Credit Union members, some of whom were elderly with Agari immediately after the events of 2012 and or less technically savvy, were under attack and 2013 to shore-up its email channel, and ultimately falling victim to scammers; other non-members protecting the company from highly sophisticated would receive the fake messages and start to engage bad actors and restoring trust with its members. with scammers and do their own investigations; and a “When we switched over to Agari Brand Protection™, scammer group set up different websites that looked we were able to monitor more email traffic than ever like it was an official Los Angeles Federal Credit before and sort out the scammers from our legitimate Union website. The group spoofed the credit union’s email quickly and easily,” Todd said. brand domain and emailed thousands of its people telling them a problem had occurred with their credit Agari made a lasting difference. Los Angeles Federal cards and/or account. Hundreds of people filled Credit Union completed its DMARC journey to in their account information to the fake websites, p=reject within five months, and overtime, it has handing over their credentials to the fraudsters. The recognized a more than 95 percent reduction in the victims’ identities were stolen and many of them amount of phishing scams it has had to remediate. ended up losing money. “At the time, the only way we With a DMARC record at p=reject, 99.7 percent of knew an attack had started was because our Credit its email is legitimate. This improvement has enabled Union’s call center would get calls and questions Todd to identify and focus on addressing emerging from victims or members who were worried that vulnerable areas to the company. “Today, I no longer something was wrong with their account. It was spend hours dealing with e-mail scammers. Instead, a perfect storm, an avalanche of phishing-related I’m focused on secure communication for the incidents that had to be stopped,” Todd said. members.” Third-party risk management is critical “We did extensive research and then received a in the current environment and companies need recommendation for Agari. And that’s made all the to ensure that their vendors are adhering to email difference.” security best practices, like a DMARC record with

Trust Score 100

0 May Jun Jul

My Trust Score is 100 as of 7.7.2020

Los Angeles Federal Credit Union has a Trust Score of 100, which indicates a very healthy Agari Brand Protection deployment. The Trust Score is an index which represents how protected a company’s email is. A perfect score of 100 means all of a company’s emails have been protected by a DMARC reject policy.

3 | www.agari.com a policy set at reject. “When I started digging into Protection. “Our Board pays attention to the heat potential exposure presented by various vendors, I map, which visualizes data clusters of where emails was surprised at the number of email servers that are sent from,” Todd said. “This shows them levels sent emails on our behalf. We found more than 60 of risk quickly and is the jumping off point I use for servers handling our email communications.” And discussing on-going resilience of the business and the that’s a real risk. While it can be challenging to hunt efficacy of our risk management strategy.” down all of those mail servers and IP addresses and determine whether they have DMARC, it’s imperative in order to have member trust. DMARC should be a hard Todd’s risk management conversations with the Los requirement during any vendor Angeles Federal Credit Union Board of Directors selection process. When your changed, too, upon working with Agari. Email vendors have a DMARC set at security has long been a forefront issue with the Board, but today, instead of just reporting the p=reject, your brand, and the volume of constant phishing attacks or sharing whole ecosystem, is protected, the latest attack details, the conversation is more too. strategic in nature due to the analytics in Agari Brand

In summary, Todd shared these lessons learned in rolling out an email-security strategy centered around email authentication with DMARC.

1 Conduct a thorough inventory quarterly 3 Educate your customers on a rolling of the vendors and the vendors’ vendors basis, too. By clearly communicating that are sending emails on behalf of your to customers what to expect from brand. It’s always changing, especially your company, they will be more alert in a remote workforce operating when a scam comes in. “We regularly environment. “Not all vendors understand communicate to our customers our DMARC and SPF, so finding the right protocols. We tell them that we will never contact at the vendor can be hard to do send an email which asks for their credit but necessary,” Todd said. card number and PIN,” Todd shared. “We communicate what we don’t do, so now 2 Educate your internal department our customers will contact us proactively, stakeholders on a rolling basis. Business if they see something that isn’t right.” is not static, and departments will continue to contract with new vendors 4 Ensure that you have enough lead time. that end up sending emails on a Depending on who manages your DNS, company’s behalf. the change-over process can be time consuming. Factor in lead time at the beginning of your DMARC journey for this important step.

© 2020 Agari Data, Inc. All rights reserved. Agari, Secure Email Cloud, Agari Identity Graph, Agari Phishing Defense, Learn More Agari Brand Protection, Agari Phishing Response, Agari Active Defense and the Agari logo are trademarks of Agari Data, Inc. www.agari.com v01.08.26.20

4 | www.agari.com