Phishing Season: Markets are Down, but Fraud is up

Institutions and Consumers Targeted by Fraudsters Taking Advantage of Turmoil
Phishing Season: Markets are Down, but Fraud is up
One night in early October, Harbor Credit Union of Green Bay, WI, warned its members of a recent mass of robocalls. "An automated dialer started phoning people and telling them that their account had been compromised, and asking them to enter information," says Mike DeGrand, president of the institution. People were asked to enter credit and debit card numbers, along with their security PIN. The local sheriff's department fielded hundreds of calls over that weekend. So far, the credit union hasn't heard from any members who entered any personal information.

But what happened in Green Bay has been played out continually in communities across the U.S. As the economy and some financial institutions have suffered in recent weeks, phishing activity has flourished. Fraudsters are rushing to take advantage of stressed and confused consumers.

The wave of phishing emails, robocalls or "vishing" - phone phishing -- has hit both large and small institutions alike in the past month. Even banking regulatory agencies such as the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC) were hit with a spate of fraudulent emails to consumers, purporting to be from the agencies. (See related: FDIC - Special Alert - Phishing Scams Involving Financial Institutions in the News ).

According to a report from Message Labs, an email protection and encryption vendor, as the global credit crisis worsened in October, phishing attacks rose by 103 percent.

The targets: national banks, global banks, smaller state banks and credit unions and online retail sites. As change remains a prevalent force in the world's banking system, the phishing attacks take advantage of the media frenzy around mergers and buyouts. MessageLabs, which recently announced it would be acquired by Symantec, says phishers have targeted Bank of America, Wachovia, JP Morgan Chase and Washington Mutual and even large British-based banks like Lloyds TSB and the Royal Bank of Scotland.

Beginning on October 16, MessageLabs says it intercepted 7,000 phishing attacks exploiting Bank of America -- 1.2 percent of phishing for that day, in a large, short-lived spike spanning 2 hours. The company says that the same phishing emails more than doubled to 15,000 on the following day and continued through the weekend, reaching 125,000 total emails -- 16 percent of all phishing for the weekend until giving way to a large American Express phish run starting at 5 a.m. on October 20 and reaching 35,000 emails for the day, or 17 percent of phishing attacks detected on Monday.

MessageLabs' analysis of IP data determined that the Cutwail botnet, currently the largest botnet controlling more than 1 million active bots, is responsible for both scams.

"During a trying time like this when banks are making global headlines, we would expect spammers to latch on to the credit crisis to take advantage of vulnerable investors and anxious consumers who have been sorely affected by the events of the past few months and are looking for relief or a boost in confidence," says Mark Sunner, Chief Security Analyst, MessageLabs in a statement.

Credit Unions, Banks Hit Across Nation
How bad is this phishing season? Here are some examples of scams spanning the nation:

TIC Federal Credit Union, Columbus, GA: Several residents of the Greeneville, TN, area say they received e-mail on October 24 from a Columbus, GA credit union, TIC Federal Credit Union. The credit union's spokesman says the emails the Greeneville TN residents were sent were part of a phishing scam designed to defraud those who opened the email by asking them for personal information when they called a toll-free number. The credit union was unable to say how many customers were affected by the phishing email.

Taylorsville Beehive Credit Union, Taylorsville, Utah: A "billing failure" phishing email sent to members of the Taylorsville Beehive Credit Union in Taylorsville, UT on October 25 says that the member's account has been suspended for a billing failure and asks the member to update information through a link to a page that looks like the credit union's BeeOnline login screen. The credit union's website warns its members that the institution will never ask a member to update their information via email. Utah leads the nation in scam and fraud complaints to the Federal Trade Commission, with an average of 178 complaints per 100,000 population.

American National Bank of DeKalb County, IL: Using both phone calls and emails, criminals tried to scam customers from two different banks in DeKalb, IL on October 16. The American National Bank of DeKalb County and Resource Bank were the two banks. Some county residents received emails and others got automated phone calls that give directions to call an 800 number to reactivate an account.

Brad Hertzner, vice president and compliance officer at American National Bank of DeKalb County told local news, "The phone scam was awful. Some people were getting calls at 1 in the morning. Who would think someone would be mean enough to wake you up and scam you?" The banks were not certain if any customers had given out their information.

Butte Community Bank, Chico, CA: This community bank's customers were hit with automated phishing phone calls on October 14. Butte Community Bank's customers were called by phishers looking for credit card information, by saying that the customer's credit card has been compromised. While at first the calls looked like they were coming from a San Jose, CA area code, the phone number listed was for a legitimate Internet provider, Garlic.com, that says it has filed complaints with the FCC and FBI over the use of its phone numbers by scam artists. John Coger, President of Butte Community Bank states "We find these things are coming from foreign countries."

Bank of the Cascades, Bend, OR: On October 14, the Bank of the Cascades says its customers were targeted with a similar attack using phone numbers. The bank's CEO, Patricia Moss, says the scam was quickly shut down. The bank says it now works with the Federal Trade Commission to combat these types of scams and shuts them down within minutes of learning of them by shutting off the associated phone numbers.

Commerce Bank, Wichita KS: This bank says it was hit with phishing emails in October. Debbie Harding, a bank spokesperson, says the bank's security team is aware that two emails were distributed using the Commerce name. One email has as its subject line "Commerce Bank Security Alerts," says Harding, the other also used the Commerce name and contained an embedded link.

The Middlesex Savings Bank, Natick, MA: also says on October 22 its customers got phishing phone calls and emails stating that their check card was suspended. Middlesex Savings Bank says it recently implemented a state-of-the-art Check Card fraud protection program designed to detect any issues and take action, including contacting the customer to verify activity.

North Middlesex Savings Bank, Ayer, MA: Another bank, North Middlesex Savings Bank in Ayer, MA warns customers on its website of fraudulent phone calls. "This appears to be widespread," said Mary Markham, SVP Operations, NMSB. "The calls have hit Shirley, Ayer, Groton and Leominster, among other towns. Also, the number being called from is not consistent." She adds that while the bank does use a fraud service, "the calls are made from a live person - not an automated voice. When we suspect fraud on an account, the customer is called directly and asked to verify specific transaction information. If the customer is not available, a message is left with a call back number."

City of Boston Credit Union: Phishers even tried to lure members from the City of Boston Credit Union, in October by offering members a deposit of $99.99 into the member's account if they take a customer satisfaction survey. After the survey, members were asked to provide their name, credit card number, expiration date and personal identification code. This phishing attempt was made a month after scammers posed as online representatives from the Boston Firefighters Credit Union. The City of Boston Credit Union's CEO Daniel Trombley says members were told to ignore the emails but some fell for the scam, and the credit union had to cancel their cards and reissue new ones. The $225 million asset credit union says the fraudulent emails continued showing up for more than a week.

More Turmoil, More Scams
All of these fraudulent scams are indicative of the types of economic-turmoil scams predicted by the Federal Trade Commission in early October. The FTC says some will appear to be emails from banks that have bought a bank, or acquired a mortgage lender.

Financial institutions should be ready to respond and should expect more of these types of emails to come to their customers, says Anne Wallace, President of the Identity Theft Assistance Center (ITAC). "Whether it's a natural disaster or a man-made one, criminals prey on the confusion and anxiety that follows to steal personal information and money," she says. Wallace predicts that there will be a rise in scams related to problems in the credit markets, including phony refinancing schemes and home equity loan schemes. She tells institutions to warn their customers to get the information up front, in writing and to read the fine print.

Examples of the types of economic-turmoil scams include one attack that used Citigroup's attempted takeover of Wachovia as a way to steal Wachovia customer credentials. (Wells Fargo eventually outbid Citigroup for Wachovia). This surge in phishing that tells customers due to the new takeover, "they need new credentials," says Ori Eisen, founder and chief innovation officer for 41st Parameter, a information security company, which in turn makes it very easy for phishers to snag new victims.

Indications that this is a growing trend can be seen by research data from information security research companies. In the past two months Finjan researchers say they have found three times the number of servers with stolen data. Prior to this, the company would find only five or six servers in a month; now they're finding that many in a single week. Finjan's CTO Yuval Ben-Itzhak suspects that increased phishing attacks may be a reason for this higher number.

Best advice for financial institutions to give to their customers about these phishing scams? Be wary. "Times are tough. Urge your customers to take extra measures to protect their personal information and be careful in responding to any request for their personal information," says ITAC's Wallace. "The last thing you and your customer need to deal with is identity theft."

Institutions should also be ready to respond quickly to shut down phishing sites or phone numbers and have prepared an incident response plan for stopping phishing attacks.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.