NCUA Tells CUs How to Help Members Avoid Falling Victim to Phishing Schemes

ALEXANDRIA, Va.-NCUA issued a Letter to Credit Unions (04-CU-06) recently to supplement a previous letter on fraudulent e-mail schemes and raise awareness of “phishing” schemes. “NCUA encourages credit unions to educate their members, strengthen monitoring systems, and enhance response programs to reduce the potential risk of Internet-related fraud schemes to their organization and members,” the agency warned. “Such schemes may negatively impact your credit union’s reputation, transaction, liquidity, and strategic risks.” The Federal Bureau of Investigation’s Internet Fraud Complaint Center has reported a steady rise in seemingly legitimate e-mails that direct consumers to a false Web site or asking the consumer for “confirmation” of personal financial information. Criminals then use this information for credit card fraud and other purposes. The sender often uses several techniques to gain the trust of the consumer, such as a false e-mail address, Web links, and plausible graphics and logos from financial institutions, like credit unions, or other companies. “The ultimate goal of this fraud is to obtain and use the member information to gain unauthorized access to a member’s credit union or financial accounts or to engage in other illegal acts,” the letter read. These activities can lead to substantial reputation risk to an impersonated credit union because members may take it as weak security. There is also the potential for negative publicity, loss of member confidence, or lawsuits. Taking a proactive stance is one of the best ways a credit union can protect itself. Institutions should educate its members about e-mail scams and how to avoid them. Credit unions should accomplish this by posting notices of their Web sites and statement stuffers. It should explain that the credit union’s Web page should only be accessed by typing in the Web address or by bookmark. Credit unions should not request personal information via e-mail and such instances should be reported. Institutions should keep their Web site certificate up to date and explain how members can authenticate the site by checking the properties on a secure page. The Federal Trade Commission also has pamphlets, “How Not to Get Hooked by the `Phishing’ Scam” and “ID Theft: When Bad Things Happen to Your Good Name,” available for consumers. When a scheme is detected, members should be alerted, suspicious activity monitoring should be heightened, credit unions should offer assistance when fraud is discovered, appropriate authorities should be notified, and a Suspicious Activity Report should be filed. Steps to take to help prevent Internet fraud include improving authentication methods for user IDs and passwords, reviewing and enhancing member information security, monitoring accounts for things like address or phone number changes, looking for Web sites using variations of the credit union’s name, setting up a toll-free number for verifying information requests or reporting suspicious requests, and training member service staff to refer consumer concerns to security staff. -