Bank, Credit Union Customers Struck by Fraud AttemptsNew Trend: 'Vishing' Scams Use Phones to Pry Account Information
The Beneficial Bank, (www.theBeneficial.com) (BNCL) uncovered the attempts on Tuesday, January 8. Customers reported they had received an automated phone message purportedly from the bank, saying the customer's services needed to be renewed and that they should call a toll-free number. Those bank customers who did call the bogus number were asked for account information.
Concurrently, the Yakima Valley Credit Union (www.yvcu.org) in Yakima, WA., on Tuesday sent out a warning on its website that some of its members were being called by an outside agency purporting to be the institution's security department, asking for account information to "activate fraud protection." The credit union, with $220 million in assets, also notes that a phishing email had been sent to some of the credit union's members, asking for personal and financial information.
Also from Yakima, WA., the Catholic Credit Union (www.catholiccu.org) reports similar telephone-based phishing attempts from an unknown caller who claims to represent the credit union that holds $152 million in assets.Damage Control
In a statement made on a local Philadelphia radio station, Beneficial Chief Executive Gerald Cuddy said the bank put out a security alert on its website and moved to shut down the phone line. He added no one lost money to the phishing attempt, and the bank has helped customers change their personal identification numbers. Beneficial, with $2.4 billion in assets, operates 72 branches in five counties in the greater Philadelphia Region, including South Jersey.
"There is no evidence of any bank customer's information was breached," says Carolyn Maslow, Beneficial's corporate communications manager and spokesperson Carolyn Maslow. "As a precaution, we have alerted our customers through our website. We have and are continuing to monitor our customer call center and branches for any suspicious activity."
Maslow said she did not know if Beneficial employs an outside service to monitor for phishing and other internet attacks, but added the bank's information security incident response team took quick action when the attempts were uncovered. The team immediately alerted the FBI, along with all the other appropriate authorities, to shut down the phone number. "Hopefully it's now a non-issue," Maslow says.
The bank did not say how many customers received the phone message, nor how many responded to the call.
Neither of the Yakima credit unions disclosed how many of their members were affected."Vishing" - the New Fraud Trend
These fraud attempts are examples of a new trend known as "vishing" - a combination of "voice" and "phishing," which refers to the use of Voice over IP to launch attempts to separate unsuspecting customers from their personal information. The callers use social engineering techniques to prey upon consumers' trust of telephone-based alerts from institutions. And because they are computer-based, the vishing attempts are difficult for legal authorities to monitor or trace.
As evidenced by the institutions whose customers were struck this past week, vishing is a trend that financial institutions of all sizes need to watch.
"As banks tighten up security on the Internet channel, the criminals are increasingly using the phone channel," says Avivah Litan, Gartner distinguished analyst. Vishing is just one of an array of clever and devious social engineering techniques the crooks are using to steal customer credentials and account information.
Information security analyst Nick Holland at the Aite Group predicts a similar direction for this fraud. "It [vishing] certainly looks to be the next attack vector. Customers have gotten to a point where they're savvy enough (but not entirely so) to avoid the email phishing attempts," he says.
Given the "spam-like" reach of phishing, it doesn't take many positive hits on an email to make a profit for the phisher, Holland adds.
For the criminal, vishing is appealing. The customer is diverted to a fake call center, complete with a spoofed caller ID name appearing on the telephone's screen. "As a bank customer, you would not expect a phone call that appears to be from your bank to be fraudulent," Holland says. "The key here is it appears to be legitimate."
As institutions increasingly move into mobile banking and mobile payments, the vishing trend also brings into question the methods used to authenticate users over the phone.
Financial institutions are not the only targets of vishing. Gartner's Litan sees vishing spreading out to other businesses. "The crooks will use all types of social engineering techniques leveraging brands such as eBay, PayPal, wireless telecommunications providers, charitable organizations, and medical service providers," Litan says. "They will also make up brands, as they do with straight phishing, pretending to be sweepstakes contests, lottery games, and the like."
In the end, however, the thieves are trying to get consumers' money, so regardless of the technique used to steal credentials or account information, the bank or credit union account is the ultimate target.
(For more information on phishing incident response see: Phishing Incident Response Plan Is Not Optional )