Presidential campaign operative John Podesta’s email was hacked earlier this year, reportedly as a result of spear phishing. Forbes reports that Podesta received an email that appeared to be from Google asking him to verify his account information. When he complied, he gave hackers everything they needed to access his account.
If Podesta could travel back through time, perhaps he would close the email in question, go to the Google site independently, and discover that there was no need to verify anything – the recommended protocol whenever you receive an unsolicited request for information.
Instead, Podesta was like many people who fall for socialized fraud schemes each year. For credit unions, these threats represent a dual concern: Members need help recognizing and avoiding potential threats, and so do credit union employees. Here are a few things to know:
Socialized Fraud Is Increasingly Sophisticated
These kinds of scams aren’t new, but they’re slicker than ever. While most people are hip to phishing emails from Nigerian royalty asking for bank information, according to Forbes the email Podesta responded to was personalized and linked to a convincing facsimile of Google. Spear phishing – a type of phishing that is targeted to specific individuals or organizations and that may contain some personal information as a kind of bait – is surprisingly potent. According to security firm Fire Eye, 70 percent of spear phishing emails are opened, and of those 50 percent actually entice the target to click a link or open an attachment.
In other news, phone-based fraud is also seeing a renaissance. Robocalling makes it relentless. And caller ID spoofing enables fraudsters to impersonate a familiar number on caller ID, so scammers appear to be legitimate when they call. How successful is fraud by phone? Consider one recent example:
“Since October of 2013, the U.S. Treasury Inspector General for Tax Administration, an IRS watchdog, has received nearly 2 million complaints from people who have reported phone calls from scammers pretending to be IRS agents,” writes Fortune. “More than 8,800 people have been duped out of a collective $47 million as a result.”
Although hundreds have reportedly been arrested in India in relation to the IRS scam, it’s unclear that all of the calls have stopped. And of course, even when this scheme has run out of gas, another will be sure to follow.
Fight Back: Can You Avoid Being Scammed?
Credit unions should help members understand the dangers of socialized fraud schemes – and encourage them to fight back. “Consumers should be assertive,” says CO-OP Fraud Expert John Buzzard. “If someone calls a member saying they’re representing the credit union, the member should hang up the phone and actually call the credit union. Or get in their car and drive down to the branch.” Revealing account numbers, PINs or passwords over the phone, via email or in a link when the contact is unsolicited is always a bad idea. Let members know that your credit union will never contact them to ask for this information.
Another thing: “As people get older, they have a harder time picking up on deception,” Buzzard says. “Someone who is 70, 80, 90 years old is also going to have a hard time not picking up the phone, or not giving the caller the benefit of hearing their spiel. Younger members might want to talk to their parents or grandparents and let them know it’s okay to hang up if you can’t verify who you’re speaking with.”
Here’s an uncomfortable question: What if the target is your credit union?
Social engineering is also having a moment. What is it? The headline on this USA Today article says it all: “The Hacker’s Best Friend is a Nice Employee.” In this scenario, fraudsters manipulate your employees into revealing confidential information or otherwise acting against the best interests of your organization. For instance, they let an unauthorized person into a secure area on the assumption that he or she is a legitimate visitor, or help a caller “remember” a password they claim to have forgotten.
In the same way that members need to know about the dangers of scamming, so do your employees need to be aware of the pitfalls of social engineering. Buzzard’s suggestions: Convene periodic meetings to discuss these types of security issues, or appoint an informal security team to keep staff informed and look for ways to bolster security. “Sometimes making time to discuss security helps to put these issues into focus,” he says.
John Buzzard hosts CO-OP’s FraudBuzz webinar on the third Thursday of every month. Update yourself on the latest security issues – and collaborate on solutions. For information, click on the banner below.