A South Carolina credit union is taking what legal experts sayis a rare legal approach to combat phishing by filing a civillawsuit and winning a court order to serve subpoenas on Internetservice providers and phone companies related to the case withoutwaiting for a pretrial conference.

The $687 million AllSouth FCU in Columbia, S.C., filed a civillawsuit last month in U.S. District Court for the District of SouthCarolina against unknown perpetrators that gained access to atleast 125 members' accounts, according to court documents.

The lawsuit names “John Does” and “Jane Does” as defendantscharged with infringing upon AllSouth's trademark and violating theRacketeer Influenced and Corrupt Organizations Act.

The credit union, which has more than 20 locations and 100,000members, is seeking an immediate injunction against the fraudstersand treble damages, which are mandatory under RICO statutes and entitle the court to award triple theamount of actual damages.

In effort to identify and locate criminals who launched a SMSphishing scam in early April, a U.S. District Court judge hasissued an order granting expedited discovery, allowing AllSouth'slegal team to serve subpoenas on third-party communicationsproviders.

Unlike a criminal case, a civil lawsuit allows different methodsof discovering evidence, which is likely why AllSouth has adoptedthe tactic. AllSouth officials declined to comment, citing theongoing investigation.

“We have nothing further to add,” said Audrey Brown, the creditunion's vice president of marketing.

According to court records, the fraudsters sent phishing textmessages by obtaining a list of AT&T customer names with SouthCarolina's (803) area code. Recipients were told their account hadlimited access or restricted access and were instructed to call atoll-free telephone number.

Callers were greeted with an automated recording stating,“Welcome to AllSouth Federal Credit Union,” and prompted to providepersonal information such as account, Social Security and driver'slicense numbers, which perpetrators used to log on to AllSouth'sonline banking system and transfer money out of victims'accounts.

The exact number of victims is yet to be determined, but atleast 125 credit union members reported to AllSouth that theyrevealed personal data during the phishing scam, according to courtdocuments.

It's rare for judges in civil cases to grant an expediteddiscovery order to issue subpoenas to third-party serviceproviders, according to legal experts, but this is not the firsttime a financial institution has utilized the tactic in a phishingcase.

Records of communications providers are given extra protectionby the “Stored Communications Act” portion of the ElectronicCommunications Privacy Act of 1986, but the laws have gotten murkywith increasing technology such as social media and cloudstorage.

“It's my impression that civil discovery requests to third-partyservice providers for the content of communication under theElectronic Communications Privacy Act are very unusual and may notbe allowed by the statute,” Chris Calabrese, legislative counselfor the American Civil Liberties Union, said in email to CreditUnion Times.

The court order granted to AllSouth states that the motion forexpedited discovery was allowed pursuant to Rule 26(d) of theFederal Rules of Civil Procedure. In 2006, a district court inNebraska granted a motion to allow First National of Nebraska toconduct immediate discovery on non-party ISPs for the limitedpurpose of identifying and locating unknown defendants thatconducted a phishing scam.

Time is of the essence, according to AllSouth's motion, because“the information sought from some of the third parties through theproposed discovery is in electronic format, and, therefore, it isreasonable to expect that such information will eventually bepurged by the third-parties in accordance with a data retentionpolicy. Plaintiff will suffer irreparable harm if discovery is notpermitted, as the defendants will likely never be identified, thenumber of victims will increase, and AllSouth's reputation willcontinue to be damaged.”

Meanwhile, financial institutions must remain diligent, aconsumer advocate advises.

“Banks and credit unions need to maintain their securityprotocols at the highest levels and also need to educate theirconsumers about identity theft,” said Edmund Mierzwinski, consumerprogram director with the U.S. Public Interest Research Group, anational non-profit consumer advocacy organization.