Bank, Credit Union Customers Struck by Fraud Attempts

New Trend: 'Vishing' Scams Use Phones to Pry Account Information
Bank, Credit Union Customers Struck by Fraud Attempts
A Philadelphia bank and two Washington State credit unions this week revealed that their customers had been solicited in new, telephone-based phishing attacks aimed at stealing personal account information.

The Beneficial Bank, (www.theBeneficial.com) (BNCL) uncovered the attempts on Tuesday, January 8. Customers reported they had received an automated phone message purportedly from the bank, saying the customer's services needed to be renewed and that they should call a toll-free number. Those bank customers who did call the bogus number were asked for account information.

See Also: IoT is Happening Now: Are You Prepared?

Concurrently, the Yakima Valley Credit Union (www.yvcu.org) in Yakima, WA., on Tuesday sent out a warning on its website that some of its members were being called by an outside agency purporting to be the institution's security department, asking for account information to "activate fraud protection." The credit union, with $220 million in assets, also notes that a phishing email had been sent to some of the credit union's members, asking for personal and financial information.

Also from Yakima, WA., the Catholic Credit Union (www.catholiccu.org) reports similar telephone-based phishing attempts from an unknown caller who claims to represent the credit union that holds $152 million in assets.

Damage Control

In a statement made on a local Philadelphia radio station, Beneficial Chief Executive Gerald Cuddy said the bank put out a security alert on its website and moved to shut down the phone line. He added no one lost money to the phishing attempt, and the bank has helped customers change their personal identification numbers. Beneficial, with $2.4 billion in assets, operates 72 branches in five counties in the greater Philadelphia Region, including South Jersey.

"There is no evidence of any bank customer's information was breached," says Carolyn Maslow, Beneficial's corporate communications manager and spokesperson Carolyn Maslow. "As a precaution, we have alerted our customers through our website. We have and are continuing to monitor our customer call center and branches for any suspicious activity."

Maslow said she did not know if Beneficial employs an outside service to monitor for phishing and other internet attacks, but added the bank's information security incident response team took quick action when the attempts were uncovered. The team immediately alerted the FBI, along with all the other appropriate authorities, to shut down the phone number. "Hopefully it's now a non-issue," Maslow says.

The bank did not say how many customers received the phone message, nor how many responded to the call.

Neither of the Yakima credit unions disclosed how many of their members were affected.

"Vishing" - the New Fraud Trend

These fraud attempts are examples of a new trend known as "vishing" - a combination of "voice" and "phishing," which refers to the use of Voice over IP to launch attempts to separate unsuspecting customers from their personal information. The callers use social engineering techniques to prey upon consumers' trust of telephone-based alerts from institutions. And because they are computer-based, the vishing attempts are difficult for legal authorities to monitor or trace.

As evidenced by the institutions whose customers were struck this past week, vishing is a trend that financial institutions of all sizes need to watch.

"As banks tighten up security on the Internet channel, the criminals are increasingly using the phone channel," says Avivah Litan, Gartner distinguished analyst. Vishing is just one of an array of clever and devious social engineering techniques the crooks are using to steal customer credentials and account information.

Information security analyst Nick Holland at the Aite Group predicts a similar direction for this fraud. "It [vishing] certainly looks to be the next attack vector. Customers have gotten to a point where they're savvy enough (but not entirely so) to avoid the email phishing attempts," he says.

Given the "spam-like" reach of phishing, it doesn't take many positive hits on an email to make a profit for the phisher, Holland adds.

For the criminal, vishing is appealing. The customer is diverted to a fake call center, complete with a spoofed caller ID name appearing on the telephone's screen. "As a bank customer, you would not expect a phone call that appears to be from your bank to be fraudulent," Holland says. "The key here is it appears to be legitimate."

As institutions increasingly move into mobile banking and mobile payments, the vishing trend also brings into question the methods used to authenticate users over the phone.

Financial institutions are not the only targets of vishing. Gartner's Litan sees vishing spreading out to other businesses. "The crooks will use all types of social engineering techniques leveraging brands such as eBay, PayPal, wireless telecommunications providers, charitable organizations, and medical service providers," Litan says. "They will also make up brands, as they do with straight phishing, pretending to be sweepstakes contests, lottery games, and the like."

In the end, however, the thieves are trying to get consumers' money, so regardless of the technique used to steal credentials or account information, the bank or credit union account is the ultimate target.

(For more information on phishing incident response see: Phishing Incident Response Plan Is Not Optional )


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.