Los Angeles Federal Credit Union was in the cross-hairs of email scammers. Its brand was constantly being spoofed, putting its members at risk of being defrauded. The CTO prioritized email security as part of his broader risk management strategy, and selected Agari as his partner. That was more than eight years ago. Today, domain spoofing is at near zero.
Our initial goal was to reduce phishing attacks down to the annoyance level, but working with Agari, we’ve eradicated it. And that allows me to focus on other strategic areas of my risk management strategy.
A question we often ask CISOs is: What was the compelling event that led you to prioritize your email security strategy? While the details vary, a constant theme exists and revolves around the fact that bad actors continue to bombard companies with phishing attacks and brand hijacking. Brian Todd, CTO at Los Angeles Federal Credit Union, didn’t pause when we posed the question to him. “We were getting a lot of phishing attacks against our brand – fake websites and emails,” he said. “We were constantly getting phished and our brand was being compromised. We were trying to make it more difficult for the scammers to attack our brand, and they were constantly coming up with new attacks. It had become an unsustainable game of whack-a-mole.”
And then in 2012, a crucible befell the company. Credit Union members, some of whom were elderly or less technically savvy, were under attack and falling victim to scammers; other non-members would receive the fake messages and start to engage with scammers and do their own investigations; and a scammer group set up different websites that looked like it was an official Los Angeles Federal Credit Union website. The group spoofed the credit union’s brand domain and emailed thousands of its people telling them a problem had occurred with their credit cards and/or account. Hundreds of people filled in their account information to the fake websites, handing over their credentials to the fraudsters. The victims’ identities were stolen and many of them ended up losing money. “At the time, the only way we knew an attack had started was because our Credit Union’s call center would get calls and questions from victims or members who were worried that something was wrong with their account. It was a perfect storm, an avalanche of phishing-related incidents that had to be stopped,” Todd said. “We did extensive research and then received a recommendation for Agari. And that’s made all the difference.”
Los Angeles Federal Credit Union began working with Agari immediately after the events of 2012 and 2013 to shore-up its email channel, and ultimately protecting the company from highly sophisticated bad actors and restoring trust with its members. “When we switched over to Agari Brand Protection™, we were able to monitor more email traffic than ever before and sort out the scammers from our legitimate email quickly and easily,” Todd said. Agari made a lasting difference. Los Angeles Federal Credit Union completed its DMARC journey to p=reject within five months, and overtime, it has recognized a more than 95 percent reduction in the amount of phishing scams it has had to remediate. With a DMARC record at p=reject, 99.7 percent of its email is legitimate. This improvement has enabled Todd to identify and focus on addressing emerging vulnerable areas to the company. “Today, I no longer spend hours dealing with e-mail scammers. Instead, I’m focused on secure communication for the members.” Third-party risk management is critical in the current environment and companies need to ensure that their vendors are adhering to email security best practices, like a DMARC record with a policy set at reject. “When I started digging into potential exposure presented by various vendors, I was surprised at the number of email servers that sent emails on our behalf. We found more than 60 servers handling our email communications.” And that’s a real risk. While it can be challenging to hunt down all of those mail servers and IP addresses and determine whether they have DMARC, it’s imperative in order to have member trust.
Los Angeles Federal Credit Union has a Trust Score of 100, which indicates a very healthy Agari Brand Protection deployment. The Trust Score is an index which represents how protected a company’s email is. A perfect score of 100 means all of a company’s emails have been protected by a DMARC reject policy[/caption]
Todd’s risk management conversations with the Los Angeles Federal Credit Union Board of Directors changed, too, upon working with Agari. Email security has long been a forefront issue with the Board, but today, instead of just reporting the volume of constant phishing attacks or sharing the latest attack details, the conversation is more strategic in nature due to the analytics in Agari Brand Protection. “Our Board pays attention to the heat map, which visualizes data clusters of where emails are sent from,” Todd said. “This shows them levels of risk quickly and is the jumping off point I use for discussing on-going resilience of the business and the efficacy of our risk management strategy.”
DMARC should be a hard requirement during any vendor selection process. When your vendors have a DMARC set at preject, your brand, and the whole ecosystem, is protected, too.
In summary, Todd shared these lessons learned in rolling out an email-security strategy centered around email authentication with DMARC.
- Conduct a thorough inventory quarterly of the vendors and the vendors’ vendors that are sending emails on behalf of your brand. It’s always changing, especially in a remote workforce operating environment. “Not all vendors understand DMARC and SPF, so finding the right contact at the vendor can be hard to do but necessary,” Todd said.
- Educate your internal department stakeholders on a rolling basis. Business is not static, and departments will continue to contract with new vendors that end up sending emails on a company’s behalf.
- Educate your customers on a rolling basis, too. By clearly communicating to customers what to expect from your company, they will be more alert when a scam comes in. “We regularly communicate to our customers our protocols. We tell them that we will never send an email which asks for their credit card number and PIN,” Todd shared. “We communicate what we don’t do, so now our customers will contact us proactively, if they see something that isn’t right.”
- Ensure that you have enough lead time. Depending on who manages your DNS, the change-over process can be time consuming. Factor in lead time at the beginning of your DMARC journey for this important step.