Orange is my favorite color

Phishing attacks impersonate someone you do business with in order to separate you from your confidential information. Usually they are pretty hokey but the sophistication level has been steadily increasing over the last year.

I received a new telephone-based variation three times this morning. It’s a “Credit Union” attack with a very clever email. There are no links (other than to consumer.gov/idtheft) which mirrors many real emails we now receive from online financial institutions ironically because of the phishers. This is apparently not the first time this has surfaced but I have not seen it in the wild yet. Here’s the copy:

Dear Credit Union Customer,

We regret to inform you that we have received numerous fraudulent emails which ask for personal account information. The emails contained links to fraudulent pages that looked legit. Please remember that we will never ask for personal account information via email or web pages.

Because of this we are launching a new security system to make Credit Union accounts more secure and safe. To take advatage of our new consumer Identity Theft Protection Program we had to deactivate access to your card account.

To activate it please call us immediately at (360)-717-3498

Activation is free of charge and will take place as soon as you finish the activation process.

If you think your identity has been stolen, here’s what to do now:

1) Contact the fraud departments of any one of the three major credit bureaus to place a fraud alert on your credit file. The fraud alert requests creditors to contact you before opening any new accounts or making any changes to your existing accounts. As soon as the credit bureau confirms your fraud alert, the other two credit bureaus will be automatically notified, and all three credit reports will be sent to you free of charge.

2) Close accounts that you know or believe have been tampered with or opened fraudulently. Use the ID Theft Affidavit (PDF) when disputing new unauthorized accounts.

3) File a police report. Get a copy of the report to submit to your creditors and others that may require proof of the crime.

4) File your complaint with the Federal Trade Commission (FTC). The FTC maintains a database of identity theft cases used by law enforcement agencies for investigations. Filing a complaint also helps the FTC gather more information about identity theft and the problems victims are having.

For more information, go to: http://www.consumer.gov/idtheft/.

Please do not reply to this message. For any inquiries, contact Customer Service.
Credit Union National Association, Inc – Copyright © 2007

They’re using an interactive voice system with an American (Washington state) telephone number! It’s probably a VOIP number and the IVR is predictably a little shabby but it’s a huge step forward in sophistication. The voice recording collects a 16-digit card number, the expiration date and the ATM pin number with a confirmation. It then tells you you’ve been validated, thanks you and hangs up.

The voice sounds like it’s pulled from a text2speech program since the perpetrators are likely not native English speakers. It wouldn’t be as convincing if there was a thick Russian accent, now would it? :)

Although it feels like Snopes-bait, this might be one to talk to your less-sophisticated friends about. People still trust the telephone system and while there are 100 clues why this isn’t legit, the absence of the traditional link (and horrible grammar and spelling) might lower some people’s guard.

5 Comments

  1. Don said:

    on October 31, 2007 at 11:36 am

    Glad you put this up; I found this post by Googling for a couple of phrases in the message I just got, which is identical except for the phone #. It really had me going for a few seconds, until my bullshit detector kicked in. So far, this is the only hit Google brought up. I’ll definitely forward it to my contacts with an appropriate warning.

  2. Dan G. Switzer, II said:

    on October 31, 2007 at 12:19 pm

    It still amazes me that these kind of fraud attempts are still succesful enough to keep on doing. It amazes me that *anyone* buys anything from a spam message they get. Obviously there’s enough people actually spending/sending their money in that it’s making it well worth the trouble spammers go through to put that spam out there…

  3. Scott said:

    on November 1, 2007 at 8:54 am

    Speaking of phone scams, I got paranoid this morning when I received a call from a web site I had recently ordered stuff from. They were saying my credit card had been declined, and would I like to use another card.

    I asked if I could correct my order on the web site. The caller said no, it had to be over the phone. Hmm…

    I told the guy I’d have to call back. I looked up the phone number on the web site. It didn’t match the one the caller called from. So I called the toll free number and asked what was going on.

    Turns out everything was kosher, they really did have problems with the card. The phone number didn’t match because of some weirdness with their outgoing phone system. But I could easily imagine things being otherwise. I would have been reading my credit information to some random dude over the phone.

    DON’T give out your information on a call you did not initiate yourself, or a phone number you cannot verify!

  4. Pete Martin said:

    on November 1, 2007 at 12:03 pm

    CUNA is on to this scheme: http://www.cuna.org/newsnow/07/system110107-1.html

  5. steve said:

    on November 1, 2007 at 1:10 pm

    Just like what Don said above. Thanks for posting this. I found your post by Googling some of the text of the message. And thanks to Pete too for the link to CUNA.

{ RSS feed for comments on this post}