It is 12:00 noon on a Tuesday and you have just received an email from your financial institution advising you that an internal security breach has occurred. You are told that while everything has been stabilized it still may be a good idea for you to visit the company website to change your personal information “just in case”. You immediately click on the hyperlink inside the email and instantly you are transferred to your financial institution’s website. As you reach for the keyboard to enter your login information a pop up window appears with fields for your debit card number, current PIN and a new PIN. Without hesitation, you quickly provide the requested information, click “enter” and receive notification that your information has been changed. Consumers complying with this request to protect their information are not aware that they have just fallen prey to the latest Internet scam that is becoming widespread. Affecting thousands of consumers, it may take days or weeks for the consumer to realize that their account has been tampered with, and money is missing from their account.
Can you imagine receiving an email from your financial institution requesting that you immediately visit their website to update your personal records because of a security breach? Or worse yet, that access to your personal information might be impeded if you delay updating your information on the website? Criminals are relying on consumer panic to drive the growing number of “phishing” scams that are plaguing consumers everywhere. Phishing scams are relatively new but extremely stealth in their approach. The premise of the phishing scam is to simply send large amounts of official-looking email to internet users, hoping that many are actually the customers of some of the large corporations targeted by the criminals. The emails alert the consumer to pending access problems and allude to security breaches that may compromise the consumer in order to get them to visit what is commonly referred to as a “Spoof” website. Concerned customers that do not question the authority of the email often immediately click on links inside the email that direct them to bogus websites designed to rob them of their personal identification and financial information. Fair Isaac’s CardAlert Fraud Manager Team has been investigating known phishing cases recently, including reports in some cases that consumers did not receive a phishing e-mail, but still experienced the pop up window while performing online banking activities.
Counterfeit debit cards were used in several US cities to make unauthorized withdrawals against the accounts of consumers who responded to these email scams. The Ohio communities of Cleveland, Parma Heights, Fairview Park and Middleburg Heights were point of fraud locations for criminals who made multiple withdrawals using unusual dollar combinations. Unusual dollar amounts ranged from $360 to $580 and typically followed a balance inquiry. PIN accuracy appeared to be high on all withdrawals. Other locations linked to this scam included Chicago, IL; Brooklyn, NY; and many cities within Southern California. There is no known relationship between where the consumers lived and where the fraudulent withdrawals occurred.
How could pop up windows function on a website primarily hosted by another company? What do cyber criminals use to craft such a scam? RATS of course! RATS, or Remote Access Trojans, are information-gathering programs that hackers install on a financial institution’s website by manipulating the website’s code. Visitors to the website have their information stolen as they visit the site for normal commerce. The visitor’s email address is also captured and later used as a “sender” of more phishing emails.
This article is an excerpt from an Alert message presented by a combined effort of Fair Isaac and the CO-OP Network. We are providing this information to promote awareness on security and privacy issues for our members. If you ever receive any suspicious correspondence using our credit union's name and/or logo, please contact our office as soon as possible.
