Security Information

The Looks Too Good To Be True.com website was built to educate you, the consumer, and help prevent you from becoming a victim of an Internat fraud scheme.

The website was developed and is maintained by a joint federal law enforcement and industry task force. Funding for the site has been provided by the United States Postal Inspection Service and the Federal Bureau of Investigation. Key partners include the National White Collar Crime Center, Monster.com, Target and members of the Merchants Risk Council.

Phishing Attempt — Email solicitation using NCUA address

[October 2010]—A recent phishing attempt is trying to obtain credit card account numbers, expiration dates and electronic signatures from credit union members. The scam works like this: A fraudulent email, claiming to be from the NCUA (National Credit Union Administration) states the NCUA will add $50 to the member’s account for taking part in a survey. The link embedded in the message directs respondents to a counterfeit version of the NCUA’s website with an illicit survey that solicits the desired credit card account numbers and other confidential personal information.

The NCUA is highly concerned about the risk of imitating their website and official logo to potentially make the scam appear authentic to unsuspecting members. NCUA will never ask credit union members or the general public for account numbers or other personally identifiable information as part of a survey.

Fraud Alert

[March 2010]—We have received recent reports that there are automated phone calls being made to people across the U.S. These calls inform you that your cardholder accounts have been deactivated or your credit card has been used illegally. They ask you to call an 800 number, where the attempt is made to gain your account number and other personal information. THESE CALLS ARE FRAUDULENT. You should NEVER give out any personal information to an unsolicited phone call, text or e-mail. CFCU WILL NEVER ASK YOU FOR SUCH IMFORMATION, NOR WILL ANY FEDERAL AGENCY OF THE U.S. GOVERNMENT. In the event you have already relinquished this information, please contact CFCU
immediately!

Please be advised of a new phishing scheme

[February 2010]—Random individuals and/or companies may have received a falsified e-mail with the subject title, “Rejected ACH Transaction.” This e-mail appears to be from NACHA — The Electronic Payments Association, telling them there is a problem with an ACH transaction they have originated.

The e-mail includes a link which redirects the individual to a fake web page set up to look just like the NACHA website and also contains a link which is almost certainly executable virus with malware.

Be advised that this e-mail did not originate from NACHA, the website is not NACHA’s, and, as always, never click on a link in any unknown or unsolicited e-mail.

Smishing (Text Messaging) Attacks Increase

[September 2009]—You’ve probably heard about “phishing,” where crooks send thousands of counterfeit e-mails that look like they’re from reputable organizations in order to steal your personal information. Now scammers are turning to text messaging for the same fraudulent purposes.

Called “Smishing” (or “text phishing”), these attacks are impacting debit and credit card holders at financial institutions located primarily in the eastern region of the United States. Smishers use cell phone text messages to persuade victims to provide personal information such as card numbers, security codes and PINs. The text may contain either a website or more commonly, a phone number that connects to an automated voice response system, which then asks for personal information. Following are examples of common “smishing” approaches:

• ABC Credit Union- has- deactivated-your-Debit card. To-reactivate-contact: 210-957-XXXX.

• sms.alert@visa.com/VISA (Card Blocked) Alert. For more information please call 1-877-296-XXXX.

REMEMBER: Never give out personal information in response to an unsolicited e-mail, phone call or text message. If you are in doubt as to the authenticity of any communication or request for information, initiate contact back to the institution using a phone number, e-mail or web address you know to be legitimate.

Rogue (Fake) Anti-Virus Software: How to Spot it & Avoid It!

Your PC May Be Infected!
Click here to clean it!

[May 2009]—Have you seen this advertisement or similar pop-up messages?  A free PC scan or an offer to clean your computer of supposedly infected files are often attempts by malevolent persons or organizations to install malicious software (malware) such as a Trojan horse, keylogger, or spyware. Such software is referred to as rogue (fake) anti-virus malware.

How can my system get infected?
The primary way rogue anti-virus software gets on your system is the result of you clicking on a malicious link in an advertisement or similar pop-up message.  The wording contained in the advertisement is usually something alarming, designed to get your attention and attempt to convince to you scan your PC or clean it immediately with the offered tool. The names of the fake programs sound legitimate, and often, in a further attempt to make the malware appear legitimate, the programs may prompt you to pay for an annual subscription to the service.

Any kind of website could host ads for rogue anti-virus: news sites, sports pages, and social networking sites as well as “riskier” sites such as hacker blogs.  Some varieties of rogue anti-virus programs will also get installed on your machine just by you visiting a website with a malicious ad or code, and you might never know you’ve been impacted.

Won’t my valid anti-virus and anti-spyware program protect my computer?
Though good anti-virus and anti-spyware programs will protect against many threats, they cannot protect against all malware threats, especially the newest ones. There are millions of different versions of malware, with hundreds more being created and used every day.  It may take a day, a week, or even longer for anti-virus companies to develop and distribute an update to detect and clean the newest malware.

What can rogue anti-virus software do to my computer?
Just about anything, especially if you are using administrative-level access when using your computer. Rogue anti-virus software might perform many activities, including installing files to monitor your computer use or steal credentials, installing backdoor programs, or adding your computer to a botnet. The malware might even use your computer as a vehicle for compromising other systems in your home or workplace network.

Rogue anti-virus software can also modify systems files and registry entries so that even when you clean off some infected files or registry keys others might remain, or even allow the infections to be restored and active again after your system is rebooted.  For example, one recent rogue anti-virus program reportedly installed several malicious Trojan files, and also made over two-dozen different changes to ensure that the malware stayed on the system and stayed running.  This type of malware also often blocks access to valid security sites (anti-virus and anti-spyware companies, and operating system and application update sites) so that you won’t be able to patch or clean your system by visiting those valid sites.

What can I do to protect my computer?

1. Don’t click on pop-up ads that advertise anti-virus or anti-spyware programs.  Even though pop-up ads are used for valid advertising they can also be used for malicious purposes, like getting you to install fake security programs.  If you are interested in a security product, search for it and visit its homepage, don’t get to it through a pop-up ad.
2. Use and regularly update firewalls, anti-virus, and anti-spyware programs.  It is very important to use and keep these programs updated regularly so they can protect your computer against the most recent threats.  If possible, update them automatically and at least daily.
3. Properly configure and patch operating systems, browsers, and other software programs.  Keep your system and programs updated and patched so that your computer will not be exposed to known vulnerabilities and attacks.
4. Turn off ActiveX and Scripting, or prompt for their use.  ActiveX controls are small programs or animations that are downloaded or embedded in web pages, which will typically enhance functionality and user experience. Many types of malware can infect your computer when you simply visit a compromised site and allow anything to run from the website, such as ads.  Turning off ActiveX and Scripting can help protect your computer if you inadvertently browse to or are unwillingly redirected to a malicious site.  (You can limit the functionality of your Internet browser through its configuration choices, but be sure to look for a guide if you are unfamiliar with how to limit scripting and active content—see below for resources.)
5. Keep backups of important files.  Sometimes cleaning infections can be very easy; sometimes they can be very difficult.  You may find that an infection has affected your computer so much that the operating system and applications need to be reinstalled.  In cases like this it is best to have your important data backed up already so you can restore your system without fear of losing your data.
6. Regularly scan and clean your computer.  If your organization already has configured this on your computer, do not disable it.  If you need to scan your computer yourself, schedule regular scans in your programs.  Also, several trusted anti-virus and anti-spyware vendors offer free scans and cleaning. Access these types of services from reputable companies and from their webpage, not from an unexpected pop-up.

For more information, please visit:

Partial Listing of Rogue Security Software: http://en.wikipedia.org/wiki/Rogue_software
Free Security Checks: www.staysafeonline.info/content/free-security-check-ups
Pop-ups: www.msisac.org/awareness/news/2008-12.cfm
Web Browser Attacks: www.msisac.org/awareness/news/2008-07.cfm
Malware: www.onguardonline.gov/topics/malware.aspx
Spyware:  www.onguardonline.gov/topics/spyware.aspx
Free Check for File Infection: www.virustotal.com/

For more monthly cyber security newsletter tips visit:

www.msisac.org/awareness/news/

The information provided in the Monthly Security Tips Newsletters is intended to increase the security awareness of an organization’s end users and to help them behave in a more secure manner within their work environment.  While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization’s overall cyber security posture. Organizations have permission--and in fact are encouraged--to brand and redistribute this newsletter in whole for educational, non-commercial purposes.

Brought to you by: MS-ISAC, www.msisac.org.

Here’s how phishing works:

[April 2009]—You’ll receive an e-mail that appears to come from a reputable company like a financial institution or government agency, including one of the federal financial regulatory agencies.

The e-mail will warn you of a serious problem that requires immediate attention. It may use phrases such as, “Immediate attention required,” or “Please contact us immediately about your account.” It will then encourage you to click on a button to go to the institution’s Web site. You could be redirected to a phony site that looks exactly like the real thing. Maybe, it’s the company’s actual Web site, but a pop-up window appears to harvest the information.

You may be asked to update your account information, or provide information for verification purposes, such as your Social Security number, account number, password, your mother’s maiden name or your place of birth.

How to protect yourself:

1. Never provide your personal information in response to an unsolicited request whether over the phone or the Internet.
2. Never click on the link provided in an e-mail you believe is fraudulent.
3. If you believe the contact may be legitimate, contact the financial institution yourself. The key is that you should be the one to initiate the contact using contact information you have verified.
4. Never provide your password over the phone or in response to an unsolicited Internet request. (Do not be intimidated by an e-mail or caller who suggests dire consequences if you do not immediately provide or verify financial information.)
5. Review account statements regularly to ensure all charges are correct.
6. If you fall victim to an attack, act immediately. Alert your financial institution. Place fraud alerts on your credit files with the three major credit bureaus (Equifax—800-525-6285, Experian—888-397-3742, TranUnion—800-680-7289). Monitor your credit files and account statements closely.

REMEMBER: CFCU already has your personal information on file. We do not need and will not ask for it!

Beware of bogus IRS phishing scam

[MADISON, Wis. 3/3/09]—A bogus e-mail that appears to be from the Internal Revenue Service (IRS) is making the rounds. It tells recipients they are about to be audited or are due a big refund. The Delaware Credit Union League is alerting its member credit unions about the scam.

The e-mail uses the IRS logo at the top, but the message is phony (MSNBC.com via Delaware Credit Union League Risk Alert March 2).

The scammers want consumers to click on a link in the e-mail that takes the recipient to the scammers' website--which looks identical to the IRS site.

The bogus site contains a form that asks for Social Security number, birth date, mother's maiden name, credit card information and an ATM card personal identification number.

With this information, scammers could charge items to consumers' credit cards and drain their bank and credit union accounts. The Social Security numbers could be used to access medical records and financial accounts, and even assume the consumer's identity.

The IRS will never send taxpayers an e-mail if it has to do with their account or private information. An unsolicited e-mail that purports to be from the IRS is bogus. Don't click on links or open attachments. Delete the e-mail.

New Fraud Alert from NCUA — Vishing!

[October 2008]—The NCUA has warned numerous times about "phishing" scams in which crooks send e-mails claiming to be from legitimate financial institutions, companies, or government agencies asking consumers to "verify" or "re-submit" confidential information such as bank account and credit card numbers, Social Security Numbers, passwords, and personal identification numbers. A variant on that approach using telephone systems, vishing, is increasingly being used to obtain this information from unwary consumers.

Consumers are becoming more aware that an e-mail they receive containing a link or other contact information could be malicious in nature. So criminals are moving away from primarily using email as a method to gain confidential information to using methods victims are more familiar with, like calling a number.

In essence, vishing is the criminal practice of using social engineering and Voice over Internet Protocol (VoIP) telephony to gain access to private personal and financial information from the public for the purpose of financial reward. The term vishing is a combination of "voice" and phishing. Vishing exploits the public’s trust in landline telephone services, which have traditionally terminated in physical locations, are known to the telephone company, and are associated with a bill-payer. The victim is often unaware that VoIP allows for caller ID spoofing thus providing anonymity for the criminal caller. Vishing is attractive to criminals because VoIP service is fairly inexpensive, especially for long distance, making it cheap to make fake calls. In addition, because it’s web-based, criminals can use software programs to create phony automated customer call center service lines.

An example of a vishing scam is when a consumer receives a recorded message telling them that their credit card and/or financial institution account has been breached and to immediately call a number provided in the recorded message. The phone number provided in the message leads the consumer to a “fraudulent call center” established by the perpetrator of the fraud. The perpetrator then attempts to obtain confidential account information and login credentials in order to access the account. A twist on this scam is when the recorded message provides the address of a fraudulent website for the consumer to access (instead of a telephone number) and to provide certain information to reinstate the supposedly affected account(s).

Vishing is very hard for authorities to monitor or trace. To protect themselves, consumers are advised to be highly suspicious when receiving messages (telephone, email, or otherwise) directing them to call and provide personal, confidential, and/or account related information. Rather than provide any information, the consumer should contact their financial institution or credit card company directly to verify the validity of the message using contact information they already have in their possession (i.e., do not use contact information provided in the suspicious message).

NCUA will continue to follow this issue and provide you with additional information as warranted.

New Fraud Alert from NCUA - Text Messages

[October 2008]—Beware of unsolicited text messages sent to your cell phone urging you to call the number provided for information about account discrepancies. The goal of these messages is to obtain your personal information for fraudulent purposes. Remember, you should never give out any information in response to any unsolicited e-mail, phone call or text message.

NCUA will continue to follow these issues and provide you with additional information as warranted.