February 2012 Archives

We have seen several instances of phishing within our banking environment recently, and are asking members to be vigilant in exercising appropriate caution when using the Internet and email.

Ensuring that all customers understand this threat has never been more important.

Employees and consumers in general need to be able to identify phishing attacks to avoid Internet fraud and identity theft. Phishing is an attack used by the computer hacking and fraud community to lure people to websites that pose as legitimate sites. They do this by creating emails that look like they are being sent by a legitimate company. However, when you click on a link in the email, it takes you to a mock-up of the legitimate company’s website where you are asked for your log-in credentials and potentially credit card or other information. In-session phishing can also manifest itself as a pop-up in a web browser that will attempt to lure you to input information such as security credentials for your financial institution accounts, credit card information or other valuable information. They may even attempt to sell bogus merchandise. When you supply this information, it is harvested by the hackers/fraudsters. Once obtained, they sell the information or use it to commit fraud or other illegal acts.

How are we protecting our members?

Applications that can be accessed directly from the Internet are isolated by screening routers, firewalls, and Intrusion Prevention Systems. Systems are automatically updated with the latest threat signatures so that whenever new threats are detected, the banking systems are up to date. In addition, these systems are continuously monitored by our security experts to ensure they are performing as expected and that threats are mitigated.

We voluntarily undergo regular security audits that test our ability to withstand attacks. In every audit, we have met or exceeded industry best practices.

Even with all of the controls and protective technology we use to protect our employees and our members, individuals still need to protect themselves. Security is everyone’s responsibility and all employees in any organization must be vigilant and understand the threat.

Take Action

The simplest way to protect yourself and your business from phishers is to avoid clicking on any unexpected link in an e-mail message. Do not reply to emails soliciting personal information. Do not enter any information into pop-ups that automatically appear in your browser. Having safely ignored the suspicious email or pop-up, report it.

A significant portion of on-line fraud goes unreported.

Some people are too embarrassed to admit they’ve been taken in. Others simply don’t know what to do.
If you spot something suspicious, go to the company’s web site, the one that looks like www.companyname.com. Most sites have an option on their home page labeled “Contact Us” or something similar. Use that to report the phishing attempt. If you have gone so far as to provide sensitive personal information before realizing you may be a phishing victim, report the matter to your local police and keep a copy of the police report. You may need that documentation to resolve any fraudulent transactions.
You can also send us an email at askus@wainwrightcu.ca to notify us of the phishing attempt. Depending on the volume of email for a particular scam and its characteristics, we may be able to take steps to block the phishing attempts. Also, it provides us with a sense of what types of email and pop-ups are being received by our users.

You can also go online to www.antifraudcentre-centreantifraude.ca, the Canadian Anti-Fraud Centre or you can call toll-free to the Canadian Anti-Fraud Centre at 1-888-495-8501.

The following information provides a much more in-depth discussion on how to spot phishing attempts. Please take the time to review, as anyone can be targeted and it is everyone’s responsibility to recognize the threat and take the appropriate action.

Phishing Methodology

How can one tell a legitimate email message or pop-up from a phishing e-mail or pop-up? Here are some things to look for:

Warning Sign #1: In-session Phishing Pop-ups

A pop-up appears that is from a company that you have open in another tab in your browser

You may have several tabs or windows open with several different websites; for example, PayPal, Google, Amazon and eBay. Suddenly a pop-up box opens, that looks like it is from PayPal, and it asks you, "for verification purposes," to enter your password and your credit card information. It may not have been from PayPal at all, and you just gave the fraudsters your information.

A login form or site's form appears not to be working

You may have several tabs or windows open with several different websites; for example, PayPal, Google, Amazon and eBay. You encounter a login form on one of the sites; nothing unusual there. You type in your username and password, but nothing happens. You re-enter the information, however there still is no response. You may just assume that the website has temporarily stopped working, so you close the window and carry on elsewhere. But what may have happened is that everything you typed into the form was harvested by the fraudsters.

Steps to take to combat in-session phishing pop-ups

1. Always be suspicious of pop-ups that suddenly appear on your desktop where you did not request the action especially if they are requesting sign on credentials, credit card information or other personal information including cell phone numbers. Do not enter any information into the form and immediately close the window where the form was displayed.
    
2.  Always log out of banking and other sensitive online applications and accounts before navigating to other websites

Warning Sign #2: Badly Written E-mail

Read the message closely. A professional company such as eBay or Amazon will not issue any communication containing basic grammatical and spelling errors. A high proportion of phishing emails contain such fundamental errors.

Warning Sign #3: Hidden Addresses & Sources

Phishing attacks redirect you somewhere other than where they claim to be going. Check to see if the link in the email is legitimate by resting or hovering over the link. The output will be displayed differently in different browsers but should be the same web address as the displayed link and be the web address of the company allegedly sending the email. (See below) If it is not, again this likely is a phishing email.
Example of the kind of phrase you might see in an e-mail message that directs you to a phishing Web site:
"Click the link below to gain access to your account."
Resting or “hovering” (but not clicking) the mouse pointer on the link reveals the real web address. If the string of cryptic numbers is a generic Internet Protocol address and looks nothing like the company's web address, it constitutes a suspicious sign.

Example of a masked web address

Con artists also use web addresses that resemble the name of a well-known company but are slightly altered by adding, omitting or transposing letters. For example, the address "www.microsoft.com" could appear instead as:
 

• www.micosoft.com
• www.mircosoft.com
• www.verify-microsoft.com

This is called typo-squatting or cybersquatting.

Warning sign #4: Threatening Legal Sounding Messages

Consider the source. From a customer service perspective, no reputable company would send their customers a threatening email. If you receive a threatening email, it almost certainly isn’t legitimate. If you think it may be, phone or email the legitimate company. Under no circumstances should you respond directly with email to the message you just received.

Warning sign #5: Soliciting Personal Information by email

Financial institutions and reputable online retailers do not send emails asking for personal information. Any email that claims to be from a reputable source, but asks for such data, is most likely a phishing expedition.

To see Phishing examples, please go to www.google.com and search for “Phishing Examples” or “In-Session Phishing.”