"Phishing" is the latest form of identity theft. It's when thieves act as if they are representing an organization and try to hook the consumer into providing personal or financial information. Once the consumer is hooked, the thieves can do lasting damage to a consumer's financial accounts. They can dupe customers into providing their Social Security numbers, financial account numbers, Online Banking password's, mothers' maiden names and other personal information.
Thieves often pose as:
• Financial institution
• Credit card company
• Online merchant
• Utility or other biller
• Internet service provider
• Government agency
• Prospective employer
How it Works
Consumers receive an email from an organization with which they do business. The email typically includes bogus appeals such as problems with an account or billing errors, and asks the consumer to confirm his/her personal information. Most emails ask recipients to follow an embedded link that takes them to an exact replica of the victim company's Web site. Graphics on the counterfeit site are so convincing that even experts often can have a hard time distinguishing the fake site from the real one. Despite the convincing appeals, consumers should not respond to unsolicited emails that direct them to divulge personal identifying information. Reputable organizations that consumers legitimately do business with generally do not request account numbers or passwords unless the consumer initiated the transaction.
Please note that 1st Capital Bank will never request identifying information, account information, or Online Banking password information via email. If you have any question regarding the validity of a phone call or email requesting account information, please call 1st Capital Bank Customer Service at 831-264-4000 prior to responding to the request for information.
Clues to identifying a “Phishing” eMail:
1. Awkward greeting - A phish may address the customer with a nonsensical greeting or may not refer to the customer by name.
2. Typos & Incorrect Grammar - This is a technique used by phishers to avoid email filters. The errors are intentional.
3. Source code points to a different website than the alleged sender - The link looks official, but when your mouse curser rolls over it the link’s source code points to a completely different web site. Remember that you can always type a URL into your web browser instead of clicking on a link.
4. Urgent call to act - Different approaches include things such as "We're updating our records," "We've identified fraudulent activity on your account," or "Valuable account and personal information was lost due to a computer glitch." To encourage people to act immediately, the email usually threatens that the account could be closed or canceled.
There has been a shift in the online criminal world from primarily targeting of individuals to increased targeting of corporations. Financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid online banking credentials belonging to small and medium sized businesses. Eastern European organized crimes groups are believed to be predominantly responsible for the activities that are also employing witting and unwitting accomplices in the United States (money mules) to receive, cash and forward payments from thousands to millions of dollars to overseas locations via popular money and wire transfer services.
How it Works
Typically compromise of the customer is carried out via a “spear phishing” e-mail which directly names the recipient correctly and contains either an infected file or a link to an infectious Web site. The e-mail recipient is generally a person within a company who can initiate funds transfers or payments on behalf of the business. Once the user opens the attachment, or clicks the link to open the Web site, malware is installed on the user’s computer which usually consists of a Trojan keystroke logger, which harvests the user’s corporate online banking credentials. Many types of spear-phishing have been used by criminal groups including messages impersonating the Better Business Bureau, US Court System, Microsoft Update, and UPS to name a few.
The customer’s online credentials are either uploaded to a website from where the fraudster can later download them, or, if the bank and customer are using two factor authentication system, the Trojan keystroke logger may detect this and immediately send an instant message to the fraudster alerting them of the secure web activity. The fraudster then accesses the financial institution through use of the captured username and password or through hijacking the secure web session.
The fraud is carried out when the fraudster creates another user account from the stolen credentials or directly initiates a funds transfer masquerading as the legitimate user. These transfers have occurred through wire or ACH that are directed to the bank accounts of willing or unwitting individuals. Often within a couple days, or even hours of recruiting money mules and opening accounts, money is deposited and the mule is directed to immediately forward a portion of the money to subjects in Eastern Europe by various means.
It is recommended that businesses utilizing Online Banking for high risk transactions conduct a risk assessment of their individual risks and controls. Sample Corporate Risk Assesment
Guide to Information Privacy
The Internet Crime Complaint Center (IC3) - a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C).
Federal Deposit Insurance Corporation (FDIC) Identity Theft & Fraud Web Site
Anti-Phishing Working Group - The Anti-Phishing Working Group (APWG) is a non-profit global pan-industrial and law enforcement association focused on eliminating the fraud, crime and identity theft that result from phishing,pharming, malware and email spoofing of all types.
STOPFRAUD.GOV – The Financial Fraud Enforcement Task Force Federal Trade Commission TC Consumer & Privacy Resources