Member security: Smishing, vishing, phishing and impostor site attacks continue to rise

Hands with mobile phone and laptop using two-step login verification.
OCCU  -  07.19.2023

OCCU members, nonmembers and team members continue to see a surge in smishing, vishing, phishing and impostor website scams, even occasionally experiencing a mix of these attack strategies.  

According to estimates from the information security industry, less than 35% of people know about these various attacks and the dangers associated with them. In 2020, the Internet Crime Complaint Center reported nearly 250,000 victims of these scams with losses in the vicinity of $55 million. Attacks since 2020 have increased more than 300% and losses are soaring. Read on to learn more about these types of fraud and ways you can stay safe and keep your financial information protected. 

What’s smishing?  

Smishing attacks have become the most common and usually target entire regions. Attackers send text messages to mobile phones in an area either in a wide-net attack wherein they blanket a region’s mobile phone numbers (thereby reaching members and nonmembers) with a message deliberately designed to appear like it is coming from OCCU or another financial institution. Wells Fargo, Citi, Bank of America — all have been targets. 

The messages appear urgent, indicating things like a suspicious transaction has occurred or an account has been locked for a myriad of reasons. The message will include either a phone number that redirects the caller to the fraudsters or a hyperlink to a website that looks very similar to the credit union or bank mentioned in the text. (These similar-looking sites are called impostor websites in the information security world.)  

What’s vishing?  

Vishing attacks occur when fraudsters make phone calls and say that they are calling from the credit union (or bank). In these attacks, the fraudsters are using technology to mimic our phone number, making the caller ID look like ours but the attacker is not actually calling from it. In these cases, the fraudsters are often sitting at a computer ready to use the information they get from the victim to reset the member’s online banking password right then and there! The attacker will force a reset and ask the member to read the security code that the member gets from the online banking system. What is actually happening is the member is receiving a real multifactor authentication number for the password reset, and once the attacker has this authentication number, they have successfully reset the online banking password and begin conducting transactions on the member’s account.  

What’s phishing? 

Phishing attacks are the old tried-and-true attacks that come via email and attempt to trick the recipient into clicking an embedded link that redirects to an impostor website or has an attachment that when clicked launches malware that can take over a computer system or allow attackers to remotely log in or control the computer. This type of attack sometimes can also provide access to the recipient’s contact list and deploy emails that appear to come from the victim! 

What are impostor websites? 

Impostor websites can be established to either stand alone or be used in coordination with any of the above scams. In a stand-alone attack, an attacker will “scrape” the OCCU website and establish a new page on the internet. Sometimes the URL or address of the website has also been stolen from another company that is not even aware that traffic has been redirected there. Other times, attackers may purchase a URL and establish their own website. Once the page has been established, the attacker also can register the page with internet search engines, like Google, to try to trick people into clicking the link when they search for “OCCU” or similar. The attackers also use these same links in smishing or phishing attacks.  

What does OCCU do to prevent and respond to these attacks?  

The attacks are incredibly difficult to stop as the attackers can continue to send messages until law enforcement (FBI, the Secret Service) can identify the attackers. Many of these attacks originate outside of the United States, and the investigative process is lengthy and fraught with hurdles.  

When OCCU is made aware of a fraudulent website, our Information Security Team immediately works with security experts to get the website-hosting company of the impostor webpages to take them down. In almost all circumstances, the hosting company takes down the impostor webpages quickly and without reservation. This also holds true for those situations where an impostor uses embedded links in social media campaigns. Facebook, Instagram, Twitter and other social media companies have all been cooperative when asked to remove a fraudster’s information, but the process can be lengthy.  

OCCU advises members about how to protect their data, and if your MyOCCU Online & Mobile banking credentials have been compromised, we will lock the account and help you create new online credentials.  

Education and prevention are only as effective as your cooperation. If you continue to fall victim to attacks or fail to purge malware from your own systems, then attacks may happen again.  

OCCU takes these threats seriously and continues to invest in technologies to keep our members safe and thwart the attackers. OCCU has many safeguards in place, and with the pace of attacks increasing and becoming more sophisticated, we are preparing to deploy more mitigation technology strategies to block the attackers from accessing members’ accounts.  

Our marketing and communications teams continually share tips and educational articles about banking safely, keeping personal information safe, etc., and post alerts in online and mobile banking when we become aware of a spike in activity. But we don’t want members — or team members — to rely only on these alerts as attacks and scams are ongoing!  

Is my money safe?  

Credit union members have protection from false electronic transfers via 12 CFR Part 1005 — Electronic Fund Transfers, frequently referred to as Regulation E. In most cases, if members notify us within the given time parameters, OCCU can issue provisional credit while an investigation is conducted or immediately have the funds refunded from recipient financial institutions. It is imperative that you notify us as soon as any irregularity is observed in online activity or transactions on your statements. 

What can members do?  

Members must stay vigilant to activity on their accounts and credit reports. OCCU’s MyOCCU Online & Mobile banking allows for multifactor authentication to help members strengthen login requirements by requiring a code be sent to their mobile device anytime a login to the system is attempted. It provides members the option to set alerts for a number of different transaction types. You can set up your account to notify you via a text message for every transaction that occurs on your accounts, from login activity to any money movement through all of our channels.  

If a member does not wish to receive these alerts, then it becomes all the more important that they are checking their statements every month. Per Regulation E, members have 60 days after the periodic statement to notify their financial institution of the error or the entire claim may be denied.  

Members should follow all of these security hygiene practices: 

  • Never give your debit or credit card to anyone to use; this includes family members. 

  • Use difficult-to-guess passwords and passphrases for online and mobile banking credentials. 

  • Turn on multifactor authentication (MFA) for all of your accounts whenever available. 

  • Turn on notification alerts for as much activity as possible. 

  • Review statements for fraudulent or erroneous activity monthly. 

  • If an email, text message or phone call is received that you are not expecting, then contact the financial institution directly via its known telephone number. 

  • Avoid clicking links in text messages and emails that you are not expecting.  

  • Ensure the use of updated malware protection software on personal computers and mobile devices. 

  • Check your annual credit report. 

  • Notify the credit union if you suspect fraudulent activity on any of your accounts. 

  • Don’t use search engines to find our website. We have MyOCCU.org and have no intentions of changing our address.  

  • Look for variations of the MyOCCU.org address. Fraudsters are clever and will make the address appear similar, such as My0CCCU.org. 

  • Don’t let the pressure of a phone call or text message force you into giving up information. All OCCU staff understand the risks and will happily allow you to hang up and call us back or give assistance via our secured messaging system in MyOCCU Online & Mobile. 

Watch Phishing and Smishing, with Matt Wilson, OCCU on YouTube.