PenFed Hounded by Multiple Website Spoofings

Credit unions like to share and promote the positive feedback they get from members.

So it’s not surprising that someone browsing the web found an Idaho man telling his credit union: “You’re doing a good job. The vast majority of web sites are more difficult to navigate and use — some are impossible. Your web site, and the process, are very user friendly.”

That was nice. In fact, the comment was nice enough to be posted on the website of TransFund Credit Union last December, Eagle Credit Union in February and by April on the sites of Westland Credit Union, East Valley Trust Bank and HowToLoGinTech.

What did all these user-friendly websites have in common?

• They all used the Pentagon Federal Credit Union branding colors and the PenFed logo.
• At the bottom, they carried the NCUA boilerplate language: “This credit union is federally insured by the National Credit Union Administration.”
• All offered membership. All you had to do was fill out a simple form supplying your date of birth, address, age, email address and phone numbers.
• And all were fake.

I came across the first clone last December for TransFund. I initially thought I had stumbled on a rebranding test site unwittingly made public by an employee at the Tysons, Va., headquarters of the nation’s third-largest credit union ($32.5 billion in assets, 2.6 million members as of Dec. 31).

Alas, PenFed spokeswoman Kassandra Meholick shot down my theory, stating the site was not theirs. The next time I checked the site, it was replaced by an “account suspended” notice.

That was that. Or was it? A new idea crossed my mind in early February that led me to try a similar search.

I saw the pentagon-shaped PenFed logo show up again, this time under the website address “eagle-creditunion.com.” Its “about” page (…/about-penfed.html) exclaimed “Helping Our Members ‘Do Better.’“

“Whatever they do, and wherever they live, Eagle-creditunion members share two things: A belief in the American way of life and a belief in themselves.”

Those are the same words on the real PenFed’s “about” page.

The NCUA’s handy credit union lookup tool showed there are no active credit unions named “Eagle Credit Union.” There had been an Eagle Credit Union in Lodi, Calif., which had $20 million in assets and 2,384 members in 2016, when it was acquired by Unify Financial Federal Credit Union of Torrance, Calif.

On Feb. 15, I called Meholick again. She said it is best not to speak too specifically about these things.

“This type of spoof site is something that has been happening for decades now,” she said. “It’s a fairly common thing.”

By April, “eagle-creditunion.com” redirected to a website offering Viagra.

However, another Google search found the clone had diversified. Not only was there a WestLand Credit Union (www.westlandcu.com), but now there was also an EastValley Trust Bank (www.https://eastvalleytrust.com/), which assured visitors that “this credit union is federally insured by the National Credit Union Administration.”

I’ve tried searches to find spoofs of other big credit unions, but so far, I’ve only found spoofs of PenFed.

The NCUA has had 14 cases of fraudulent websites brought to its attention in the last two years, according to an email in response to questions from CU Times.

The NCUA said that when it learns of such cases, it contacts the domain hosting company and requests that they voluntarily comply with removing the website.

“If a fraudulent site falls under federal criminal statute (in instances where a website is masking as a federal credit union, for example) and the NCUA is unable to secure voluntary removal of the site, the NCUA will refer the case to the Department of Justice,” the NCUA said. “Depending on the site, it may fall under state statute in which case we will refer it to the appropriate state authority.”

Jay Mayfield, an FTC spokesman, said consumers who find a website that appears fake should report it using the FTC’s website for reporting fraud (https://reportfraud.ftc.gov/#/), which is monitored by 3,000 law enforcement agencies. “It is not just filing a report with us, it’s filing a report with all the agencies,” he said.

A fake credit union website falls under the category of “business imposter schemes,” which is among the most common type of complaint the FTC receives, Mayfield said. “Scammers tend to pose as businesses with recognizable names and lots of customers,” he said.

Last year there were more than one million imposter schemes reported to the FTC, including romance scams, tech support scams, family and friend imposters, government imposters and business imposters. The FTC doesn’t break down how the imposture was carried out, but fake websites are common.

Reports of business imposters have risen sharply over the past two years. From 2017 through 2019, they accounted for 17% to 19% of all imposter reports. Last year business imposters more than doubled to 394,742, accounting for 39% of imposter reports.

In the fourth quarter, business imposters accounted for half the reports.

Such scams are not entirely new, according to Scott Derks, whose banking career started in 1981 with Citizens & Southern based in Columbia, S.C., and ended about 20 years later with his retirement from the position of chief of staff for the Carolinas for Bank of America.

Derks’ move to Bank of America came through a series of mergers in the 1980s and 1990s.

Mergers created an opportunity for fraud, and the medium was the telephone.

Around 1986, C&S got a call from an elderly female customer who said she had called a phone number of a flyer she received and found herself talking with someone at phone sex operation.

It turned out the bank had acquired a smaller bank and surrendered its old number. The fraudster acquired the phone number and sent out old flyers from the acquired bank with its old phone number, one of which reached the elderly female customer.

Management was “horrified,” he said. In that instance, it wound up paying the phone sex operation to buy back the bank’s old phone number. It happened twice again into the early 1990s, but the fraudster asked for too much money and the bank called the FBI.

Derks said the bank didn’t warn its customers. “It was an embarrassing event,” he said. “All the energy went into getting the porn site taken down.”

Banks also learned a lesson: When you bought another bank, you paid to keep its phone numbers, even if you didn’t use them.

Editor’s Note: CU Times did not include hyperlinks to the spoofed sites or specific site sections for two reasons: 1.) We were not sure if the links would lead to malicious sites. 2.) Most likely, the links would no longer work by the time this story is published.