ST. PETERSBURG, Fla. -- A sophisticated Sept. 20 phishing attack targeted credit union cardholders by masquerading as a site sponsored by Card Services for Credit Unions, the association of credit unions that processes their card transactions with Fidelity National Information Services.
Sue Chrzan, spokesman for the association, said employees became aware of the problem early in the morning when their desk computers were extraordinarily slow. Information technology specialists at CSCU said they were alerted to the problem because their servers had to process thousands of e-mails being returned to a bogus CSCU address.
"We acted quickly to get communications out to our member credit unions and to redirect the images on the phishing site to warnings," said Chrzan. She said the association had contacted Fidelity National and put into place a program Fidelity has to swiftly shut down these sorts of attacks when they occur.
Chrzan called the attack sophisticated in that someone had to do the research on CSCU and its relationship with credit unions. The bogus e-mail also attempted to hide its request for cardholder information amidst questions about the members' CU overall.
"It really is quite sophisticated because it takes a little bit of research to get to us," Chrzan said, noting that CSCU does primarily business to business work with its credit union members and would be unknown to general credit union members or the broader public.
"We definitely look at this as a learning experience," Chrzan said. "Everyone has to take threats like these seriously because if this could happen to us it could happen to anyone."
Chrzan said that the incident would be "front and center" during CSCU's card summits that the association stages at different places around the country during the year.
As far as CSCU knows, no cardholders actually gave any information to the attempted thieves and Chrzan said some of the cardholders had contacted the association directly. It is unclear whether or how law enforcement may investigate the case since no data was compromised. --firstname.lastname@example.org