Banking Regulator Issues New Phishing AlertLatest Campaign Pretends to be Request from Agency
A federal banking regulatory agency has issued a warning about a new phishing campaign that aims to con consumers into disclosing personal and financial details by feigning to be a request from the regulator.
Experts say these types of attacks are getting more sophisticated, and that continuous, proactive monitoring of spam email is a necessity to identify targeted campaigns quickly (see Spear Phishing: A Bigger Concern in 2015).
This most recent scheme purports to be from the National Credit Union Administration, one of the five regulatory agencies that make up the Federal Financial Institutions Examination Council. Emails containing links to a fraudulent website that resembles the NCUA are being pushed to consumers, the banking regulator announced March 17.
NCUA says the phishing emails originate from what appears to be a legitimate website managed by the National Credit Union, an Australian financial services company that claims to offer products and services to consumers in the U.S., Europe and the Commonwealth of Independent States.
"This website is not affiliated in any way with the National Credit Union Administration, a federal agency, and the emails are not from NCUA," the NCUA notes in its alert. "The emails attempt to persuade individuals to provide personal information, such as Social Security numbers, account numbers and login information, or transfer large amounts of money. Consumers should neither provide information to this website nor attempt to conduct any financial transactions through it."
As of March 19, the National Credit Union website had been deactivated.
The NCUA points out that it would never request consumers submit personal or account information through an emailed solicitation.
"NCUA is working with the appropriate federal agencies on this matter," writes NCUA spokesman John Fairbanks in a March 18 email to Information Security Media Group. "To date, we are not aware of any financial losses or loss of personal information as a result of this phishing operation."
Rob Sadowski, director of technology solutions for security firm RSA, says it's difficult for government agencies to prevent their brands from being used in phishing campaigns. "Their brands stand for what the phishers are relying on to get consumers to click on these malicious emails: Trust in the sender," he says.
Phishers are getting better at copying specific formatting or graphics used by agencies, Sadowski adds.
Although monitoring spam email by agencies can help prevent phishing that capitalizes on their brands, "there will always be that attack that gets through and that will be identified by the consumer first," says Daniel Cohen, who heads up the anti-fraud services group at RSA. "That said, having the necessary remediation capability in place can provide for quick takedown of the attack and rapid investigation into its sources."
Another key step for agencies, Cohen says, is to work with Internet service providers and law enforcement to have the websites that send phishing emails shut down.
But John Wilson, field chief technology officer for online security firm Agari, says the only way to truly block phishing messages is by deploying the DMARC (Domain-based Message Authentication, Reporting and Conformance) standard. DMARC can help organizations authenticate the source of e-mails and block spam.
"This standard, which is supported by Google, Microsoft, Yahoo, AOL, Comcast and others, allows domain owners to control the use of their domains in email," Wilson says. "Without DMARC, anyone can send an email using the bank's email domain."
Case of Mistaken Identity
In its warning about this most recent scam, the NCUA advises consumers who have received a phishing email to contact the NCUA's fraud hotline and the Internet Crime Complaint Center, a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center.
Phishing attacks that exploit the brands of federal banking regulators are not new. In late 2011, the Federal Deposit Insurance Corp., which also is a part of the FFIEC, warned consumers of a similar type of attack (see Phishing Targets FDIC).
Financial fraud expert Al Pascual, a director at Javelin Strategy & Research, says campaigns that exploit regulatory agencies are often less effective than phishing attacks that feign to be from specific banks or credit unions.
"I doubt most consumers recognize the NCUA brand - even the FDIC may be a bit of a stretch to call a 'household name,' he says.
Pascual advises regulators to "be on the lookout for phishing scams directed at the institutions under their supervision, as these scams would have the potential to cause far greater financial and reputational damage."