First Quarter 2007

‘Phishers’ trying to bait credit union movement

Phishing.

When said out loud, this term may sound like someone discussing a popular outdoor activity. However one message is clear when it comes to a similar sounding yet very unpopular term, phishing. If you didn’t initiate the activity or transaction, don’t give out the information. Or in other words, don’t take the bait.

By now, anyone who works in an IT capacity, is in a data sensitive industry (e.g., financial institutions), or generally conducts transactions over the Internet, has probably become all too familiar with the term. Phishing, which uses fraudulent e-mail or website pop-ups, attempts to get victims to divulge sensitive financial information such as credit card numbers, account numbers, user names, passwords, or social security numbers. The “phisher” then uses this information to commit identity theft or other fraud.

Phishing no longer seems to be only the concern of big banks and card issuers. These scams have also made their way into popular online products used by consumers, such as AOL, eBay and PayPal. A study by the Gartner technology research firm showed that 52 million U.S. Internet users received phishing e-mails during the past 12 months, from which 1.8 million consumers divulged information and one million fell victim.

Credit unions and their members have also become prime targets. In recent months, CUNA, NCUA, ICUL, ICUL Service Corporation, as well as numerous other leagues and credit unions across the country, including several in Illinois, have been have been the target of phishing emails. According to some security officials, that is because credit unions are perceived to maintain more vulnerable security systems than banks.

Some of the fraudulent attempts ask for the recipient to click on a link to verify their credit union account registration. Others offer money to complete a survey, while others attempt to persuade recipients to renew their accounts due to many supposed complaints about unusual account activity. Some simply claim that a system upgrade requires users to update their account information.

Whatever the tactic, the fraudulent e-mails usually include a link that seems to go to the “spoofed” organization’s authentic Web site. However, in most cases it goes to a look-alike page or site, and asks for sensitive data that should never be provided in response to an unsolicited email, especially if the message is supposedly urgent in nature. For credit unions and their members, there are some basic views that should be kept in mind when it comes to phishing:

Be proactive regarding phishing activity and information. Regularly publish an article in your newsletter highlighting the increased instance of this fraudulent activity among credit unions and their members. Advise them to report any suspicious activity. Informed members are key to avoiding losses.
Credit unions should use all of their available communications vehicles to immediately alert their members of any phishing scams. Assure members that your credit union never solicits usernames, passwords, pin numbers, or other personal identifiable information via e-mail or other means.
If a phishing e-mail has been circulated, credit unions should immediately attempt to contact the Internet Service Provider (ISP) who may or may not realize this fraudulent activity is taking place via their hosting service. One Web site, www.dnsstuff.com, can help reveal the vital information, such as the origination point of the phishing activity.
There are a number of ways to report losses that have occurred as a result of fraudulent activity, including the Internet Fraud Complaint Center (IFCC) at www.ic3.gov (the IFCC is a partnership between the Federal Bureau of Investigation, and the National White Collar Crime Center). Other resources are available via ICUL’s Web site. Whether or not a loss has occurred, immediately notify any organization that has been “spoofed” so they are aware of and can effectively deal with the situation.
Credit reports should be monitored. Thanks to the Fair and Accurate Credit Transactions (FACT) Act passed in 2003, consumers are entitled to receive one free credit report every 12 months from each of the nationwide consumer credit reporting companies. This free credit file can be requested online at www.annualcreditreport.com, or by phone or mail. New accounts opened or loans obtained with a person’s identity will appear on their credit report, which can help reveal possible identity fraud. If credit reports are not checked, instances of identity theft may proliferate, and it could prevent consumers from obtaining credit down the road.

If you have any questions about an email or other suspicious communication that appears to be from ICUL, the ICUL Service Corporation, a fellow credit union, please call the Member Services Department to confirm its authenticity before responding. You may additionally contact the League’s IT department for technical assistance. Both departments are reachable by calling 800-942-7124.