Four days after signing a contract with Symantec Corp. in April, M&T Bank got hit with a phishing attack in which a barrage of 15 million E-mails got sent to customers with the purpose of tricking them into revealing their passwords. The upshot was that the bank received a total of seven phone calls related to the incident. The Symantec anti-fraud software had detected the fraudulent E-mails and alerted M&T's customers to disregard them.

M&T Bank, a $53-billion asset bank based in Buffalo, N.Y., takes seriously the threats posed by perpetrators of phishing and pharming attacks, as well as spam, spyware, and identity theft. It's gotten hit with two phishing attacks in the past six months as perpetrators have gone down-market: Where they used to target the largest banks, they're now going after mid-tier banks like M&T.

M&T has made Symantec's Online Fraud Management Solution the crux of its strategy for combating online fraud. The system blocks fraudulent E-mails from reaching consumers and alerts the bank that customers are under attack. It also provides education and tools for customers to conduct their own desktop security assessments. M&T is offering customers a 20% discount on additional Symantec products for eliminating spyware, viruses, and other forms of malware.

To guard against customer information being lost or stolen, M&T has adopted a policy of not allowing such data to be stored on laptops; instead, information is only stored at a central location where it can be monitored. The goal is to avoid joining the list of banks that have had to notify customers of a security breach, says Matt Speare, M&T's chief information security officer.

Thanks to an aggressive and proactive patch management policy, the bank has suffered little damage from Internet-based attacks such as the recent Zotob virus, which affected only about 20 of the bank's several thousand servers. However, the number and virulence of attacks are increasing, says Speare. The greatest risk is from "supervariants" that combine attack elements, such as distributed denial-of-service and the ability to steal information. "It is going to happen," Speare says. "Someone is going to figure out how to combine four or five attack vectors and start grabbing credit card and Social Security numbers."

Internally, M&T has built up its defenses inside the perimeter. An "application security firewall," using software from Teros Inc., prevents hackers from using techniques such as SQL injection to gain access to sensitive databases. The application security firewall sits right behind the network firewall; when it detects a string of unfamiliar characters in a message from an online app, it automatically terminates the session.

Speare's 50-person group is involved from the start with every technology project that gets generated by the bank's lines of business. The information security staff is "in lockstep" with the corporate security and compliance departments, he says.