New Page 8

Storm Worm virus

Around holidays, such as Valentine's Day, look out for spam e-mails spreading Storm Worm malicious software (malware). An e-mail directs the recipient to click a link to retrieve an electronic greeting card (e-card). Once the user clicks the link, malware is downloaded to the computer, which becomes infected as part of the Storm Worm botnet. A botnet is a network of compromised machines under the control of a single user. Botnets are typically set up to facilitate criminal activity such as spam e-mail, identity theft, denial of service attacks, and spreading malware to other machines through the Internet.

The Storm Worm virus has capitalized on various holidays in the last year by sending millions of spam e-mails with an e-card link included. Valentine's Day has been identified as another target.

FBI identifies recurring fraudulent e-mail scams

The FBI reports that cybercriminals are sending fraudulent e-mails to unsuspecting recipients about a complaint that has been filed with the Department of Justice, the Internal Revenue Service, the Social Security Administration, or the Better Business Bureau. They claim that the complaint names the recipient or their company.

The e-mails appear to be legitimate messages from the above departments. They address the recipients by name, and other personal information may be contained within the e-mail. The scam appears to be an effort to secure Personally Identifiable Information (PII), such as Scxoail Security numbers and birthdates. The nature of these scams is to create a sense of urgency for the recipient to provide a response by clicking on a hyperlink, opening an attachment, or initiating a telephone call.

The FBI suspects this e-mail refers to a complaint that is in the form of an attachment, which actually contains virus software designed to steal passwords from the recipient. The virus is wrapped in a screensaver file, which most anti-virus programs are unable to detect as malicious in intent. Once downloaded, the virus is designed to monitor user name and password logins, and record the activity, as well as other password-type information, entered on the compromised machine.

Vishing attacks increase

Many people have received an e-mail, text message, or telephone call, supposedly from their credit card or debit card company directing them to call a telephone number to re-activate their card due to a “security issue.” The IC3 has received multiple reports of variations of this scheme known as "vishing."

Vishing operates like phishing with scammers trying to persuade consumers to divulge their Personally Identifiable Information (PII), claiming that their account was suspended, deactivated, or terminated. Recipients are directed to contact their financial institution via a telephone number provided in the e-mail or by an automated recording. Upon calling the telephone number, the recipient is greeted with "Welcome to the (name of bank or credit union) …" and asked to enter their card number in order to resolve the pending security issue.

For authenticity, some fraudulent e-mails claim the bank or credit union would never contact customers to obtain their PII by any means, including e-mail, mail, or instant messenger (but not by telephone). These e-mails further warn recipients not to provide sensitive information when requested in an e-mail and not to click on embedded links, claiming they could contain "malicious software aimed at capturing login credentials."

A new version recently reported involves sending text messages to cell phones, claiming the recipients' online banking account has expired. The message instructs the recipients to renew their online banking account by using the link provided.

Loss Prevention Recommendations:

If you have received these, or similar e-mails, file a complaint at www.ic3.gov. The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C).

If you have a question concerning your account or credit/debit card, contact your financial institution using a telephone number obtained independently, such as from your statement, a telephone book, or other independent means.

Educate your membership on “Phishing and Vishing.”

	Post warnings on your Web site, in newsletters, and in branch lobbies.
	Post a notice on your credit union's Web site, stating that you will never solicit personal or private information via e-mail.
	Be wary of any e-mail received from an unknown sender.
	Do not open unsolicited e-mail.
	Do not click on any links provided in unsolicited e-mails.

If a member is a victim of phishing or vishing, take appropriate steps:

	Block and reissue the compromised credit/debit cards.
	Report the incident to the credit bureau.
	Order a credit report.

A good resource for this topic is The Anti-Phishing Working Group.

If you have been victimized by a spoofed e-mail or Web site, you should contact your local law enforcement, U.S. Postal Inspector, or the FBI.

Someone Wants Your Numbers. Be on the Lookout!

Online fraud and phishing scams are on the rise. What is phishing? When someone send you an email pretending to be a financial institution or other company and request your credit card or other personal information. Once the thief obtains your information, they use it to steal your money.

If you receive an email from someone you don't know, or if any financial institution contacts you via email and asks for personal information -use extreme caution. The emails associated with phishing scams always appear legitimate. They may even have identical logos and language as an email you would expect from your bank, credit card company or credit union.

The fact is, while most institutions send emails from time to time, most companies these days will never request your information out of the blue. Often phishing scans attempt to steal your information by alerting you to some "problem" with your account and threaten to cancel your account if something isn't done immediately.

The best rule is: If you receive any email regarding your financial information that requests passwords or other information, call your financial institution and verify of it is legitimate. And remember, at SSCU, we will never request your passwords or personal information in any email.

CUNA target of new card-activation phish attempt!

CUNA, (NOT CUNA Mutual Group), is being used as the subject of a phishing message targeting credit union members to collect personal account information, plastic card numbers, and passwords. CUNA is warning people who receive the e-mail not to click on the link to the fake web page, just delete the message.

This new phishing-scam attempt using the Credit Union National Association's name, informs recipients about "irregular check card activity" and advises them to call a toll-free number to get any restrictions removed. Calling the toll-free number is a "bad idea," says Dorothy Steffens, CUNA's vice president of web services, 800-356-9655 ex 5719. The call is a ploy to get personal account information, possibly for identity theft purposes.

Recipients received a message as a:

"CUNA Alert: Irregular Check Card Activity"

"We detected irregular activity on check card on Oct. 25/2007. For your protection, you must reactivate your card. Call us immediately at 1.866.840.2863. We will review the activity on your account with you and upon verification, we will remove any restrictions placed on your account.

Please disregard this notice if you have already accessed the website or spoken with one of our representatives."

As a trade association for U.S. credit unions, "CUNA does not maintain any type of customer/member financial information," emphasized Steffens, adding that "your financial institution would never request personal identification information over the phone."

And while this phone number has since been disabled, a new phishing e-mail with a different phone number started making the rounds on October 30, 2007.

"Anyone responding to any e-mails of this type should contact their financial institution directly using the phone number provided by it," she said.

Also, another phish making the rounds earlier with CUNA's name on it comes from a gmail.com address and addresses "Credit Union National Association SERVICE." It says CUNA ensures security "by regularly screening the accounts in our system. We recently reviewed your account, and we need more information to help us provide you with secure service." It provides a "case ID" and a link to a fake website mimicking CUNA's.

* IF YOU RECEIVE THESE E-MAILS PLEASE CONTACT THE CREDIT UNION AS SOON AS POSSIBLE AND DO NOT RESPOND!*

Account Fraud via TDD (TTY).

Recently, USAlliance Federal Credit Union and other credit unions received relay phone calls through IP Relay or other TDD (TTY) services. In each call, someone other than the member tried to obtain account information on the member's account. The caller had the member's social security number or the member's name.

The caller didn't receive any account information because they were unable to provide the member number and PIN for the accounts. In one of the calls, the caller said he needed the account balance information urgently because he wanted to send money to his cousin via Western Union. The IP Relay supervisor then alerted the credit union that IP management believed the call fit a pattern of fraudulent and illegal activity.

Telecommunications Relay Service, also known as TRS, Relay Service, or IP-Relay, is an operator service that allows people who are Deaf, Hard–of–Hearing, Speech–Disabled, and Deaf/Blind to place calls to standard telephone users via TDD (TTY), personal computer or other assistive telephone device. Most TRS operators use regular keyboards to transcribe spoken voice as text for relaying. However, some TRS services may use stenotype or stenomask equipment, similar to those used by court reporters and closed captioning systems.

None of the members accounts that were attacked were hearing impaired or had ever used the any of the above services. A telecommunications device for the deaf (TDD) is an electronic device for text communication via a telephone line, used when one or more of the parties has hearing or speech difficulties. Other name for TDD includes TTY (telephone typewriter or teletypewriter).

BEWARE OF FRAUDULENT AMERICAN EXPRESS TRAVELERS AND GIFT CHEQUES

American Express Company issued a fraud advisory about counterfeit Travelers Cheques and Gift Cheques. The upcoming holiday season is a prime time for an increase of counterfeit checks being presented at retail businesses and financial institutions.

Be cautious of Travelers Cheques in $500 and $1,000 denominations since they are rarely sold.

Gift Cheques are only valid in $10, $25, $50, and $100 denominations.

American Express does not pay counterfeit checks, so it is imperative you validate the American Express Cheques before accepting them.

1-800-525-7641

TJX Corporation Hacked into!

If you have shopped at TJ Maxx, Marshalls, Home Goods and any other TJX Corp. stores there is a chance that your check card or credit card could have been compromised. If you have not been contacted by the credit union please call us to check and make sure your card was not affected. Here is a link on this story from MSNBC's Website.

2/15/2007 - Click here for an Important Customer Alert from TJX Corp's CEO concerning their updates on their recent Security Breach.

Debit Card Information Theft Is On The Rise!

Despite the latest in security and electronic encryption methods, SSCU and many other financial institutions around the globe have members whose debit card information has or will unfortunately be compromised. Once this happens, thieves make fraudulent purchases, causing many headaches for the victims.
The focus of this problem is not the banks or credit unions, but on the retail outlets and third party companies that may not have as strict security measures for customer debit card information. Hackers target these institutions and sometimes gain access to the areas where customers information is stored.
A good way to protect yourself and your account regularly on Flashtalk and online. Also, check your statements and balances regularly to ensure nothing is unusual about your account. Another smart way to protect your debit card information is by only using reputable, well-known companies when shopping online or over the phone.

Direct Deposit Helps Protect You From Identity Theft

Direct deposit can actually reduce your risk of identity theft. When your paycheck goes directly into your account, there is no chance your check will be stolen or cashed by someone other than yourself. There is also no chance that someone can copy any personal information from your check.
With identity theft becoming a growing problem, its smart to protect yourself by always shredding important personal documents you no longer need. And by keeping personal documents you do need in a safe place. Also, never give any personal financial information or your Social Security number to anyone requesting it over the phone or by email.
Its important to monitor your credit report yearly to ensure no one has established false accounts in your name, and that everything in your report is correct. To request a free credit report (one from each credit agency per year) just log onto www.annualcreditreport.com or call 877-322-8228.