by Amy Kleinschmit, Chief Compliance Officer
Phishing, smishing, and other recent fraud attempts.
Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details, often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. Short for "SMS phishing," smishing often involves text messages claiming to be from a credit union, bank or another company. The message displays a phone number to call or a link to click, giving scammers the chance to trick individuals out of money or personal information.
Education for members is key and fortunately there are a number of resources that are ready to be pushed out to your membership and staff, such as the recent consumer alert from the Federal Trade Commission (FTC) concerning phishing scams. As discussed in the alert, the “FTC has seen a spike in reports from people getting text messages that look like they’re from well-known names like USPS, Costco, or The Home Depot and others.”
No matter what the unexpected text says, the FTC offers the following advice.
Additional guidance on how to recognize and report scam text messages can be found here or this video from Homeland Security that discusses protecting against phishing attacks - https://www.dhs.gov/medialibrary/assets/videos/21694.
The FBI also has helpful tips on how consumers can protect themselves from these scams, found here.
Phishing emails have been an issue for years, however, with the uptick in mobile smishing attacks be sure to make phishing and smishing awareness training a priority for staff – and make sure it covers all forms of phishing and smishing. Be sure everyone understands the risks when opening attachments or clicking on links within texts that come from unfamiliar sources.
However, all the education and prevention still might not prevent a scammer from using your credit union’s name in a smishing attack. Both the FTC and NCUA have issued guidance that might be helpful if this happens to your credit union.
The FTC’s article, Has a phishing scam hooked your company’s good name? | Federal Trade Commission (ftc.gov), provides tips on how businesses should respond if it is impersonated in a phishing scam, such as notifying consumers of the scam, contacting law enforcement, providing resources to any victims of the scam, and taking the opportunity to review and update security practices.
NCUA issued this letter to credit unions, 22-RISK-01, concerning the ongoing threat of social engineering and phishing attacks. The letter reminds credit unions that any cyber incidents should be reported to the NCUA, your local FBI field office or the Internet Crime Complaint Center, and the Cybersecurity and Infrastructure Security Agency.
Letter to Credit Unions 05-CU-20 also provides guidance for credit union regarding phishing, which can be found here. The letter directs credit unions that “If you become aware of actual phishing incidents using your credit unions’ name, logo, graphics, etc. attempting to solicit information from your members (also known as “spoofing”), you should consider taking the following actions as appropriate:
As always, DakCU members may contact Amy Kleinschmit with any compliance related concerns.
The Memo is DakCU's newsletter that keeps
Want the Memo delivered straight to your inbox?