ALERT - RECENT PHISHING SCAM - JULY 2010 NACHA – The Electronic Payments Association has received reports that individuals and/or companies have received a fraudulent email that has the appearance of having been sent from NACHA. See sample below.
The subject line of the email states: “Unauthorized ACH Transaction.” The email includes a link that redirects the individual to a fake Web page and contains a link that is almost certainly an executable virus with malware. Do not click on the link. Both the email and the related website are fraudulent.
Be aware that phishing emails frequently have links to Web pages that host malicious code and software. Do not follow Web links in unsolicited emails from unknown parties or from parties with whom you do not normally communicate, or that appear to be known but are suspicious or otherwise unusual.
NACHA itself does not process nor touch the ACH transactions that flow to and from organizations and financial institutions. NACHA does not send communications to individuals or organizations about individual ACH transactions that they originate or receive.
If malicious code is detected or suspected on a computer, consult with a computer security or anti-virus specialist to remove malicious code or re-install a clean image of the computer system.
Always use anti-virus software and ensure that the virus signatures are automatically updated. Ensure that the computer operating systems and common software applications security patches are installed and current. Be alert for different variations of fraudulent emails.
= = = = = Sample Email = = = = = =
From: Information
Sent: Thursday, July 22, 2010 8:27 AM
To: Doe, John
Subject: Unauthorized ACH Transaction
Dear bank account holder,
The ACH transaction, recently initiated from your bank account, was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:
Unauthorized ACH Transaction Report
------------------------------------------------------------------
Copyright ©2010 by NACHA - The Electronic Payments Association
= = = = = = = = = = = = = = = = = = =
ANOTHER EXAMPLE - This phishing scam was done with cyber crooks using malware to collect personal information. Upon visiting a bank web site and attempting to access online banking, the malware redirects the unknowing customer to a fake (but real looking) online banking log in web page.
After entering their user ID information, the customer is directed to another fake page titled "Customer Identification" that looks like this:
If this happens to you, DO NOT ENTER any information. Since the "redirect" occurs on the user's PC (not the bank's web site), please close your Internet connection immediately and scan your PC with the lates updates for viruses and malware. (Remember: F&M Trust will NEVER ask for personal information in this manner.) If you feel you have been a victim, please contact our security department immediately at 1-888-264-6116.
What is Phishing?
Phishing is one of the latest cons used by high-tech criminals to facilitate one of America's leading forms of fraud - identity theft. Basically, the scam uses spam (unsolicited e-mail) to bait consumers into disclosing sensitive personal information - such as social security numbers, account and routing numbers, credit card numbers, personal identification numbers (PINs), passwords, and other private data.
Many of the phishing attempts will be sent to an individual's computer on a Saturday, Sunday or holiday. This is done when the bank is closed so that the consumer can't contact the bank about the e-mail. Be particularly suspicious of e-mail that appears to come from a financial institution on weekends and holidays.
According to the Federal Trade Commission (FTC), phishers send an email or pop-up message that claims to be from a business or organization that you deal with - for example, your Internet service provider (ISP), bank, online payment service, or even a government agency. The message usually says that you need to "update" or "validate" your account information. It might threaten some dire consequence if you don't respond. The message directs you to a Web site that looks just like a legitimate organization's site, but it isn't. The purpose of the bogus site? To trick you into divulging your personal information so the operators can steal your identity and run up bills or commit crimes in your name.
What can you do?
To avoid getting reeled into one of these scams, the FTC offers the following guidance:
- If you get an email or pop-up message that asks for personal or financial information, do not reply or click on the link in the message. Legitimate companies don't ask for this information via email. If you are concerned about your account, contact the organization in the email using a telephone number you know to be genuine, or open a new Internet browser session and type in the company's correct Web address. In any case, don't cut and paste the link in the message.
- Don't email personal or financial information. Email is not a secure method of transmitting personal information. If you initiate a transaction and want to provide your personal or financial information through an organization's Web site, look for indicators that the site is secure, like a lock icon on the browser's status bar or a URL for a website that begins "https:" (the "s" stands for "secure"). Unfortunately, no indicator is foolproof; some phishers have forged security icons.
- Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.
- Use anti-virus software and keep it up to date. Some phishing emails contain software that can harm your computer or track your activities on the Internet without your knowledge. Anti-virus software and a firewall can protect you from inadvertently accepting such unwanted files. Anti-virus software scans incoming communications for troublesome files. Look for anti-virus software that recognizes current viruses as well as older ones; that can effectively reverse the damage; and that updates automatically.A firewall helps make you invisible on the Internet and blocks all communications from unauthorized sources. It's especially important to run a firewall if you have a broadband connection. Finally, your operating system (like Windows or Linux) may offer free software "patches" to close holes in the system that hackers or phishers could exploit.
- Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them.
- Report suspicious activity to the FTC. If you get spam that is phishing for information, forward it to spam@uce.gov. If you believe you've been scammed, file your complaint at www.ftc.gov, and then visit the FTC's Identity Theft Web site at www.consumer.gov/idtheft to learn how to minimize your risk of damage from ID theft. Visit www.ftc.gov/spam to learn other ways to avoid email scams and deal with deceptive spam.
The FTC works for the consumer to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint or to get free information on consumer issues, visit www.ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.
As your financial institution, we at F&M Trust want to help you combat identity theft. One of the best ways to fight fraud is to educate yourself and be aware of a possible scam before it happens to you. Be cautious when providing information, and learn the steps you can take to help protect your sensitive, personal information in an attempt to stay ahead of these criminals.
F&M Trust strongly recommends that you NOT send personal information to the bank via e-mail. You are urged only to use secure locations on our site (for example, online banking, online trust access, online investing, etc.) to conduct transactions and change or update information. In addition, customer service representatives of F&M Trust will NOT ask you to send any private information to us via e-mail. If you are asked by someone indicating that they represent F&M Trust, please contact our security department immediately at 1-888-264-6116.