BACK
Latest Fraud Techniques

Phishing    Pharming    ATM Skimming    Mortgage Fraud    Access to Passwords

What is Phishing?
  • “Phishing" is the sending of bogus e-mails, allegedly from a financial institution or other online business, by criminals who hope to hook the unwary.
  • Those who “bite” by clicking on a hyperlink in the e-mail are shipped off to a phony but authentic-looking website and asked to enter sensitive information.
  • If your members type in their passwords, social security numbers or account numbers, identity thieves have that data.
Background on Phishing
2003 saw the proliferation of a phishing scam in which users received e-mails supposedly from eBay claiming that the user's account was about to be suspended unless he clicked on the provided link and updated his credit card information that the genuine eBay already had.


Statistics on Phishing
The average monthly growth rate in phishing sites increased 28% from July 2004 through March 2005, with the financial services industry the most-targeted industry for phishing attacks, according to the Anti-Phishing Work Group (APWG).
Note: APWG, which is based in Massachusetts, is comprised of Business and law enforcement agencies around the globe
  • Financial institutions averaged 81% of all "hijacked brands" in March 2005.
  • Phishing attacks have been reported against credit unions and community banks and well-known institutions with global brands (Desert Morning News May 5, 2005).
  • Even the Credit Union National Association (CUNA) and the National Credit Union Administration (NCUA) have been recent phishing targets.
  • The Pennsylvania Credit Union Association (PCUA) said it received numerous fraudulent e-mails appearing to be from NCUA, seeking "account verification." (Life is a Highway May 9).
  • NCUA, like CUNA, has posted a fraud alert on its website.
It's so Easy
Because it is relatively simple to make a Web site look like a legitimate organization site by mimicking the HTML Code, the scam counted on people being tricked into thinking they were actually being contacted by eBay and were subsequently going to eBay's site to update their account information.
    How to Identify a Phishing Scam
  • The "From Field" appears to be from the legitimate company mentioned in the e-mail. It is important to note, however, that it is very simple to change the "from" information in any e-mail client.
  • Look for Logos that are not an exact match to the company's logo, spelling errors, percentage signs followed by numbers or @ signs within the hyperlink, random names or e-mail addresses in the body of the text, or even e-mail headers which have nothing to do with the company mentioned in the e-mail.
  • The e-mail will contain a clickable link with text suggesting you use the inserted link to validate your information. In the image you will see that once the hyperlink is highlighted, the bottom left of the screen shows the real Web site address to which you will go.


What is Pharming?
Pharmers" plant a seed of malicious software in the user's own computer or poison servers that direct traffic on the Internet.
  • The result, even if you type in the correct address of a website, the software can send you to a bogus site.
  • Pharmers can actually manipulate the domain name system (DNS) that translates URLs into the IP addresses that computers understand.
  • Fraudsters can send you to a scam Web site even if you type in the correct URL.
  • On a small scale, pharmers can use emailed viruses to compromise individual machines and rewrite local host files.
  • On a larger scale, attacks could be launched via "DNS poisoning,"
  • Pharmers simply redirect as many users as possible from the legitimate commercial websites they'd intended to visit and lead them to malicious ones. The bogus sites, to which victims are redirected without their knowledge or consent, will likely look the same as a genuine site. But when users enter their login name and password, the information is captured by criminals.


    • A Cute Pharming Analogy
    "Phishing is to pharming what a guy with a rod and a reel is to a Russian trawler. Phishers have to approach their targets one by one. Pharmers can scoop up many victims in a single pass," said Chris Risley, president and chief executive officer of Nominum, a provider of IP address infrastructure technology for businesses.



    Sample ATM Skimmer Device
    A team of organized criminals is installing equipment on legitimate ATM's in at least 2 regions to steal both the ATM card number and the PIN. The team sits nearby in a car receiving the information transmitted wirelessly over weekends and evenings from equipment they install on the front of the ATM (see photos). If you see an attachment like this, do not use the ATM and report it immediately to the 800 number or phone number shown on the front of the ATM.

    The equipment used to capture your ATM card number and PIN is cleverly disguised to look like normal ATM equipment. A "skimmer" is mounted to the front of the normal ATM card slot that reads the ATM card number and transmits it to the criminals sitting in a nearby car.

    At the same time, a wireless camera is disguised to look like a leaflet holder and is mounted in a position to view ATM PIN entries.

    The thieves copy the cards and use the PIN numbers to withdraw thousands from many accounts in a very short time directly from the ATM.
    Equipment being installed on front of existing bank card slot.
    The equipment as it appears installed over the normal ATM bank slot.
    The PIN reading camera being installed on the ATM is housed in aninnocent looking leaflet enclosure.
    The camera shown installed and ready to capture PINs by looking downon the keypad as you enter your PIN



    Mortgage Fraud

    The Ten Warning Signs of Predatory Lending

    The questions below are a good way for you to know if someone could be misleading you about a loan and its costs to you. Just because you answer "yes" to these questions does not mean you are or have been a victim of predatory lending. But, if you answer "yes" to some of the questions, we recommend you contact the appropriate state agency, by clicking on the Report Abusive Lending link above, for more information and guidance.

  • Were you encouraged to include false information on your loan application?
  • Were you asked to leave signature lines or any other important line-item of any form blank? Did the lender or broker alter any information you entered on your loan application?
  • Check your loan file. Are any of the following disclosures missing? · Good Faith Estimate· Special Information Booklet· Truth in Lending· HUD-1 Settlement Statement
  • Have you refinanced your loan several times, and in each instance increased either your monthly payment and/or the total amount you owe on your home?
  • Do your documents reveal that your interest rate calculation will change to require you to pay "daily interest" in instances when your payments are late?
  • Is your loan amount on the loan you obtained higher than the value of the home?
  • Did you incur any unexpected costs at settlement that were not explained to you prior to the settlement?
  • After settlement, were you surprised to find that the monthly payments on your mortgage loan were higher than you anticipated based on the initial disclosures?
  • If you have a balloon loan (one in which after a series of low payments the entire loan balance is due in a large lump sum), will you need to obtain another loan to finance that final lump sum amount?
  • Were you required to buy credit insurance, insurance that will repay the debt if you die or become disabled? (Note: Credit insurance is optional and will not affect your loan decision if you decline to buy it. It can, however, add considerable cost to the loan transaction. You should decide whether you are going to purchase credit insurance.




    • Utilizing Strong Passwords
    Imagine the sense of vulnerability that you would have if you ever lost your wallet or purse, someone else could be utilizing your identification as if they were you. This same someone could do just as much damage if they were to get your passwords, log on to your computer and access all your online accounts, personal information and more.

    What could someone do if they have your passwords?
  • Access information on your computer, such as your financial records, e-mail messages, stored lists of passwords, and private information.
  • Open new accounts and buy to your credit limits extent.
  • Change your mailing address, have items purchased (and bills) sent to them.
  • Withdraw money from your bank accounts.
  • Buy or sell stocks.
  • Apply for loans, including mortgages.
  • Pretend to be you in online chats or other online activities, such as auctions.

    • Think of your password as if it were a key to your home and everything you own, including your reputation, financial freedom, and sanity.

    Checklist for Password Protection
    Many hackers use "dictionary" forms of software tools that run rapidly through thousands of likely passwords, looking for easy marks. Help protect your security by using unlikely or strong passwords and managing your password carefully.
    The challenge, of course, is creating a password that you can remember, but is hard for anyone else to guess.

    1. What makes a password strong?
    Make sure you create a password that:
  • Is at least seven characters in length, and the longer the better. Some system passwords can be up to 128 characters long.
  • Includes upper and lower case letters, numerals (and some say symbols)
  • Has at least four different characters in your password (no repeats)
  • Looks like a sequence of random letters and numbers


    • Make sure you:
  • Don't use ANY PART of your logon name for your password
  • Don't use any actual word or name in ANY language
  • Don't use numbers in place of similar letters
  • Don't reuse any portion of your old password
  • Don't use consecutive letters or numbers like "abcdefg" or "234567"
  • Don't use adjacent keys on your keyboard like "qwerty"


    • 2. Manage your passwords
    You'd be surprised at the number of people who write down their secret password, and tape it to the monitor or tuck it into a desk drawer next to their computer. Be sure you:
  • Keep it to yourself.
  • Do not write it down.
  • Do not share it with anyone.
  • Do not check the "remember my password" feature, without considering the value of the data the password protects.
  • Create different passwords for information that needs a high level of protection (e.g. at financial Web sites) and for information that needs only casual protection (e.g. online magazines).
  • Change your password at least every six months.
  • If you had reason to tell someone your password, then create a new one at your earliest opportunity.


    • Tip: Strong Passwords
    Create a password from a phrase. Instead of using a memorable word, choose a memorable event in your life and convert it to a secret code. For example:
    Using first letters: "I went to Ft. Lauderdale in 85!" would translate to: IwtFLi85
    Using last letters, and reversing capitals: iTOTeN85

    Tip: Different Passwords for Different Places
    Create strong passwords for any online transaction where your credit is at stake-such as shopping, banking, mutual funds, brokerage, investment retirement accounts, money management software, tax preparation software, auctions, insurance.
    Create one "light-weight" password for online access to magazines, newspapers, chats, web casts, etc. You can be comfortable checking the "Remember my password" option for these activities, but not for your online banking account.

    Source: microsoft.com





    CU-Online
    Account #:


    SIGN-UP HERE