Skip to main content

Keeping Our Members Safe

Mobile Phishing Attacks Increase Nearly 40%

Phishing emails have long been a threat for desktop and laptop users within the office; however, the increased use of mobile devices as more employees work remotely has created an additional attack vector for cyber criminals. Common defense tactics or revealing traits of phishing attacks – such as the ability to identify email addresses and URLs that might look suspicious – are often not as noticeable in mobile email, texts,
and messaging apps given the mobile user interface and smaller device screens.

The Details

Malicious actors have recognized how reliant we are on mobile devices. They understand that there is a massive blind spot around mobile devices and apps and are targeting them because they present a path of low resistance. Additionally, mobile phishing is often the cheapest way to compromise an individual or an organization. In fact, mobile phishing has increased 37 percent between the fourth quarter of 2019 and the first quarter of 2020, according to Lookout, Inc., a provider of mobile security. Several reports suggest that there is a steady increase in mobile phishing attacks for both consumer and corporate users, across all geographies and industries, and involving both Android and IOS phones.

Learn How to Recognize & Avoid Phishing Scams

____________________________________________________

Sophisticated Social Engineering Scams Lead to P2P Fraud

Fraudsters are launching social engineering attacks to members by posing as the credit union to obtain online banking credentials. They are defeating out-of-band / 2-step authentication by scamming member into providing this passcode to them. Once they have the passcode, they login to the member’s account and use peer-to-peer (P2P) services, such as Zelle and Payzur, to transfer funds elsewhere.

Here’s how the scam works:

  • Fraudsters send account alerts to members via text message –appearing to come from the credit union warning them of suspicious debit card activity.
  • For those members who respond to the text, the fraudsters call the members spoofing the credit union’s phone number and claim they are in the credit union’s fraud department and calling to verify suspicious transactions.
  • To verify the member’s identity, the fraudster explains a passcode will be sent via text message and the member must provide the passcode over the phone.
  • The fraudsters attempt a transaction that triggers a 2-step authentication passcode, such as using the “forgot password” feature or initiating a P2P transaction. The passcode is sent via text / email to the member who, in turn, provides it to the fraudster.
  • The fraudsters immediately use the passcode to login to the member’s accounts and use the P2P feature to transfer funds.

Fraudsters also have spoofed the credit union phone number and called members asking them to verify information such as card number, PIN and CVV/CVC –which is all they need to counterfeit a card. In a few cases where members refused to provide the passcode, the fraudsters impersonated the members and social engineered the members’ mobile phone carrier to port the members’ mobile phone to a different carrier. This allows the fraudster to receive the passcode by using the “forgot password” feature.

Please Note: ACFCU will never ask you for such private, secure information over the phone, via email or text message. Should you suspect you are being targeted by fraud, or have fallen victim, please contact us as soon as possible. We'll work with you to investigate the matter, ensuring your accounts and funds are safe at the Credit Union.