Beware Phishing and Smishing Attacks!

Following a barrage of reports regarding fraud attempts in the Dakotas, Amy K has some helpful tips for credit unions and consumers. 

by Amy Kleinschmit, Chief Compliance Officer

Phishing, smishing, and other recent fraud attempts.
Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details, often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. Short for "SMS phishing," smishing often involves text messages claiming to be from a credit union, bank or another company. The message displays a phone number to call or a link to click, giving scammers the chance to trick individuals out of money or personal information.

Education for members is key and fortunately there are a number of resources that are ready to be pushed out to your membership and staff, such as the recent consumer alert from the Federal Trade Commission (FTC) concerning phishing scams. As discussed in the alert, the “FTC has seen a spike in reports from people getting text messages that look like they’re from well-known names like USPS, Costco, or The Home Depot and others.”

No matter what the unexpected text says, the FTC offers the following advice.

• Don’t click on links or respond to unexpected texts — including ones asking you to fill out surveys to get free items. If you think it could be legit, contact the company using a website or phone number you know is real. Don’t use the information in the text message.
• Don’t pay to get a package redelivered. The real USPS won’t contact you out of the blue about a delivery (unless you submitted a request first and give a tracking number) — and they’ll never demand payment to redeliver a package.

Additional guidance on how to recognize and report scam text messages can be found here or this video from Homeland Security that discusses protecting against phishing attacks - https://www.dhs.gov/medialibrary/assets/videos/21694.

The FBI also has helpful tips on how consumers can protect themselves from these scams, found here.

Phishing emails have been an issue for years, however, with the uptick in mobile smishing attacks be sure to make phishing and smishing awareness training a priority for staff – and make sure it covers all forms of phishing and smishing. Be sure everyone understands the risks when opening attachments or clicking on links within texts that come from unfamiliar sources.

However, all the education and prevention still might not prevent a scammer from using your credit union’s name in a smishing attack. Both the FTC and NCUA have issued guidance that might be helpful if this happens to your credit union.

The FTC’s article, Has a phishing scam hooked your company’s good name? | Federal Trade Commission (ftc.gov), provides tips on how businesses should respond if it is impersonated in a phishing scam, such as notifying consumers of the scam, contacting law enforcement, providing resources to any victims of the scam, and taking the opportunity to review and update security practices.

NCUA issued this letter to credit unions, 22-RISK-01, concerning the ongoing threat of social engineering and phishing attacks. The letter reminds credit unions that any cyber incidents should be reported to the NCUA, your local FBI field office or the Internet Crime Complaint Center, and the Cybersecurity and Infrastructure Security Agency.

Letter to Credit Unions 05-CU-20 also provides guidance for credit union regarding phishing, which can be found here. The letter directs credit unions that “If you become aware of actual phishing incidents using your credit unions’ name, logo, graphics, etc. attempting to solicit information from your members (also known as “spoofing”), you should consider taking the following actions as appropriate:

• Post a prominent alert notice on your website’s homepage and login screen.
• Contact members directly by mail and/or e-mail providing them with the information noted above.
• Monitor member accounts for unusual activity and trends.
• Flag and monitor closely the accounts of members who report that they have fallen victim to a phishing or similar e-mail scam.
• Alert your staff to the incident so that they are sensitive to the situation and report activity such as unusual address change requests, account transactions, or new account activity.
• Encourage members who believe that they have been a victim of the phishing scam to follow the recommendations published in the brochure, You Can Fight Identity Theft, outlining steps members should take to reduce the risk of identity theft.”

 
As always, DakCU members may contact Amy Kleinschmit with any compliance related concerns.
 
 
 
 
 

---