Recent Scam Alerts and Phishing Emails
Small Businesses Being Scammed
The U.S. Small Business Administration (SBA) is warning small businesses not to respond to letters falsely claiming to have been sent by the SBA asking for financial account information in order to qualify them for federal tax rebates.
The fraudulent letters were sent out with what appears to be an SBA letterhead to small businesses across the country, advising recipients that they may be eligible for a tax rebate under the Economic Stimulus Act, and that SBA is assessing their eligibility for such a rebate. The letter asks the small business to provide the name of its financial institution and account number.
These letters have not been sent by or authorized by the SBA, and all small businesses are strongly advised not to respond to them.
The scheme is similar to email scams often referred to as “phishing” that seek personal data and financial account information that enables another party to access and individual’s bank accounts or to engage in identity theft.
The SBA Office of Inspector General (OIG) asks that anyone who receives such a letter report it to the OIG Fraud Line at (800) 767-0385, or by email to OIGHotline@sba.gov.
--February 19, 2009
Debit & Credit Card Compromise Alert
Note: No action is necessary by members at this time
Card numbers of some members who carry CoVantage-issued debit or credit cards recently appeared on a list of potentially compromised cards. The potential breach occurred when customer transactions were processed through Heartland Payment Systems. The compromise was in no way caused by a breach at CoVantage, but was brought to our attention by VISA and MasterCard in an alert they provided to financial institutions throughout several states.
At this time, we are not aware of any fraudulent transactions that actually occurred on any CoVantage cards included on this list. However, account data containing information on the card’s magnetic strip (card number, expiration date, and some internal codes) may have been exposed to an unknown third party.
If your debit or credit card was affected by this breach you will receive a personal letter from CoVantage Credit Union. The letter will identify the affected card and explain the situation in more detail. It is especially important that all members review debit and credit card transactions for accuracy, and immediately report any suspicious activity on your statement to CoVantage Credit Union.
In the event fraud should occur on your card, there are protections in place that prevent financial loss to the cardholder (provided you notify the credit union in a timely manner).
We appreciate your understanding as we fight fraud. As always, CoVantage Credit Union adheres to the strictest controls in keeping your member information secure.
--January 2009
Advance-Fee Loan Scam
The Advance-Fee Loan Scam involves unsolicited emails
consisting of mortgage, loan refinance, small business loan, or similar loan offers. The scammers usually state that loan approval is guaranteed and ask for upfront fees be wired to them before a loan can be approved. What typically happens is the scammer receives the fees and the loan is never given.
Additional information can be found at: www.ftc.gov/bcp/edu/pubs/consumer/telemarketing/tel16.shtm.
Card Services Phishing Emails
A phishing e-mail is being sent out that asks you to fill out a 5 question survey for Card Services for Credit Unions. It claims that you will receive a credit to your account for filling in a survey that will help improve online services. The link in the email will take you to a site that requests information such as your personal account information and plastic card information.
Card Services doesn't have any plastic card information, nor did it send out these emails. This email was sent as an attempt to fraudulently obtain your personal information.
Do not respond to this email.
IRS Tax Refund Phishing Emails
The IRS and the Internet Crime Complaint Center have issued consumer alerts about Internet scams in which emails are received informing consumers of a tax refund. This phishing e-mail, claiming to be from the IRS, informs recipients that they are eligible for a tax refund for a specific amount. Then it directs them to a link that asks for personal information, such as: credit card information and social security numbers. DO NOT respond to this type of email.
A different phishing e-mail with the title Refund Notice claims to have information about the status of the recipient's IRS tax refunds. This e-mail has a link, which directs you to a page that is similar to, but not the IRS web site. This site claims to allow recipients to check the status of their IRS tax refund after filling in information such as: name, social security number/IRS Individual Taxpayer ID, and credit card information. DO NOT respond to this type of email.
If you receive this type of unsolicited e-mail alleging to be from the IRS, take the following steps:
- DO NOT open any attachments in the e-mail. They might contain code that will infect your computer.
- Contact the IRS at 1-800-829-1040 and determine whether or not the IRS is trying to contact you about a tax refund.
Be advised that the IRS does not ask for personal identifying or financial information via unsolicited e-mail.
Additional information on these phishing schemes can be found at the website listed below. If you believe that you have been a victim of phishing you may file a complaint at the following web address: http://www.ic3.gov.
NCUA Phishing Alert
This particular attack involves a "spoofed" National Credit Union Administration (NCUA) website and unsolicited emails sent to consumers. The email requests that you click on a link to verify your account registration. The link then directs you to a "spoofed" site and asks you to submit your PIN, account number, and other personal information.
The site is similar to NCUA website, but is not affiliated with the NCUA in anyway. It is a scam to get your personal information for use for fraudulent purposes. If you receive this type of email DO NOT respond. NEVER enter your personal information such as your account number, user name, social security number, and PIN numbers into any unsolicited email. DO NOT click on any of the links in the email. They may take you to additional fraudulent sites.
If you receive any emails as described above, just delete them.
Be advised that legitimate businesses will not send emails that request this type of information.
The NCUA advises: NCUA does not ask credit union members for such personal information.
Anyone who receives an e-mail that purports to be from the NCUA and asks for account
information should consider it to be a fraudulent attempt to obtain their personal account data for an illegal purpose and should not follow the instructions in the email. If you responded to such
an e-mail and provided any confidential account information, please notify your credit union immediately of the scheme. You should also change your account’s PIN, and take any additional action recommended by your credit union to protect your account.
PULSE Phishing Alert
This particular attack involves the PULSE website and unsolicited emails sent to consumers. The email provides a link to a "spoofed" site and asks you to submit your debit card number, expiration date, and ATM PIN number.
The fraudulent site is similar to PULSE'S website. If you receive this type of email DO NOT respond. Sites can be very convincing. NEVER enter your personal information such as your debit card number, user name, and ATM PIN numbers into any unsolicited email.
Be advised that legitimate businesses will not send emails that request this type of information.
CUNA Phishing Alert
This phishing threat targets members in the Credit Union National Association(CUNA). It comes in the form of an email that asks you to update your personal information online. This is a fraudulent email that requests you to visit a phishing site that appears similar to the screenshot below. If you receive this type of email DO NOT respond. DO NOT enter your personal information such as your account number, social security number, user name, and passwords into any unsolicited email. DO NOT click on any of the links in the email. They may take you to additional fraudulent sites. Just delete any emails of this sort.
Phishing Scam Sounds like Official Telephone Call
Plastic-card phishing has a dangerous new twist. In a telephone call to a cardholder, the criminal attempts to obtain the three-digit security code on the back of card.
Details:
With the holiday season approaching, shoppers increasingly use their credit and debit cards to make purchases at the mall, on the Internet, or over the telephone. When plastic card use increases this time of year, so do the scams.
A new twist on phishing aims to obtain the three-digit security code printed on the back of VISA and MasterCard credit and debit cards. The phishes are trying to get enough information to perform fraudulent card-not-present transactions (Internet, telephone, and mail-order purchases).
Under this scam, a telephone call is placed to a legitimate cardholder. The caller claims to be a representative from VISA or MasterCard informing the cardholder of suspicious card activity. The caller provides details of an unusual transaction and asks if the cardholder made this purchase, which, of course, the cardholder did not. The cardholder is then asked to verify possession of the card. To do so, the cardholder is asked to read the three-digit security code on the back of the card. The fraudster then provides a control number in the event the cardholder needs to call back with questions, making the call seem legitimate.
The caller does not ask for the credit or debit card number, and that is why some members are fooled into believing the call is legitimate. But the fraudster already has the card number; what they don't have is the three-digit security code from the back of the card, and that is what they are after with this scam.
The three-digit code on the back of the Visa or MasterCard card is a security tool used for non face-to-face transactions. When conducting transactions that are not face-to-face, many merchants will ask the shopper for the three-digit code to complete a card authorization. If the criminal obtains this three-digit number and already has the member's card number, card expiration date, and billing address, the criminal may be able to obtain authorization for fraudulent transactions.
Never give that code to anyone who may contact you by telephone, Internet, or mail. This security tool is used when a card-not-present transaction is performed, and during the transaction the merchant may ask for the code to complete the authorization process.
Never respond to any e-mail, telephone call, voice message, text message, or letter received through the mail that requests personal and financial information, including the three-digit number on the back of the card.
--November 24, 2008
