In just one week, CU Times learned about two largescaleSMShing attacks on credit union members. One involved amulti-billion institution in the northeast. Another credit unionwas not quite $1 billion in assets and also located in theNortheast.
|Separately, security experts provided CU Times withsample SMS fraud text that targeted members of two other creditinstitutions: One among the nation's biggest, the other with fewerthan $100 million in assets in the Northeast.
|That last institution presently has the following message inboldface on its homepage: “ALERT: If you responded to a text oremail and provided your debit card information, you are a victim offraud! Call 800-xxx-xxxx immediately and report your card as stolento avoid personal liability for fraud charges that will occur onyour account. Remember we will never ask for your cardnumbers, we have them. And we do not text our members. Contact usfor details.”
|Exactly what is going on?
|Members receive an SMS or text message, purportedly from thecredit union, demanding the member go to a website or call a phonenumber and provide personal account data to restore a suspendedaccount. They are growing in numbers, according to SanFrancisco-based security company Cloudmark, which has beenmonitoring SMS for some time.
|“It's really risen in the last year,” Neil Cook, Cloudmark chieftechnology officer said. The reason is profits.
|“It costs more to send out an SMS phish,” Cook said, “but thereturns are higher than with email.”
|Read more: Texts are taken more seriously…
|That is because most of us have been trainedto take SMS more seriously than we do email, said Jan Volzke, CEOof Sausalito, Calif. based security firm Numbercop.
|We get alerts from our credit unions – about deposits, payments– and we also may have multi-factor authentication setup involvinga cellphone. For those reasons, we view SMS as serious business andcrooks are jumping on it.
|Recent Cloudmark data show that financial institution accountphishing has become the third most common type of SMS spam.
|The messages are blunt, frightening. One seen by CUTimes simply had the name of the credit union and the urgentinstruction to call a particular phone number.
|Another read: Your Visa has been temporarily deactivated. Call800-xxx-xxx to reactivate. The SMS included the name of theinstitution.
|Other, simpler scam SMS include a link and tell the member toclick to reinstate the account.
|Where do fraudsters get the mobile phone numbers? Some maysimply be automatically generating numbers on known mobile phoneexchanges. Others may have bought valid numbers and, Volzke said,following large retail breaches at Target, Home Depot and others. There are millions of good numbers outthere for crooks to buy.
|Cook said the crook next buys batches of prepaid SIM cards,which trace back to nowhere, and load them into so-called SIMboxes, which are large arrays of SIMs. The crook then automates SMSdeployment.
|“They will send out in high volume, sometimes millions a day,”Cook said.
|The bottom line is that email phishing is declining ineffectiveness, but crooks now are seeing good returns from badSMS.
|What's a credit union to do? Affinity FCU, a$2.3 billion credit union in Basking Ridge, N.J., recently had itsmembership fall under SMS attack and it agreed to tell itsstory.
|As soon as it heard from many members about the SMS attack,Affinity blasted out an email that read: “We have just been madeaware that some of our members have received deceptive text alerts,claiming to be from Affinity, stating: 'AffinityFCU-UrgentNotification-Call (908) 818-1530' This message is not fromAffinity. If you receive the message, delete the messageimmediately. If you have already called the phone number andprovided any personal information, please contact our MemberService Center immediately.”
|Jean-Albert Maisonneuve, Affinity's vice president of marketing,assured CU Times that Affinity itself had not beenbreached; the phone numbers had not come from within the creditunion.
|“As to protecting members, with this sort of scam the best wecan do is continually inform members of what they can do to protectthemselves and provide an outlet just in case they do get caught,”he said.
|Maisonneuve also said the credit union was unaware of anylosses associated with this scam.
|Another credit union, which requested anonymity, was also hitwith the scam and said so far, it is unaware of any memberlosses.
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Critical CUTimes.com information including comprehensive product and service provider listings via the Marketplace Directory, CU Careers, resources from industry leaders, webcasts, and breaking news, analysis and more with our informative Newsletters.
- Exclusive discounts on ALM and CU Times events.
- Access to other award-winning ALM websites including Law.com and GlobeSt.com.
Already have an account? Sign In
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
