Questions and Answers about Phishing and Pharming

What is phishing?

Phishing is the practice of sending an e-mail that appears to be from a financial institution with the goal of persuading on-line banking users to share sensitive information that can be used to commit fraud or identity theft. If users click on the email, they are directed to a “spoofed” site, which appears to be the financial institution’s site, but is actually a reproduction created to collect information such as the user name and password.

Are phishing attacks common?

Phishing attempts hit an all-time high in March 2006, when more than 18,500 attacks were reported for the month to the Anti-Phishing Working Group.

What about pharming? How does it differ from phishing? Should I be worried?

Pharming redirects Internet users from a legitimate web site to a “spoofed” or imitation site. Computer users might think they are visiting a legitimate online shopping site, for example, but instead are taken to a different site with a similar name. This “pharming” site is used to steal information such as credit card numbers, account numbers, passwords or Social Security numbers.

Cyber-criminals use the personal information they gain from phishing and pharming to commit identity theft or fraud.

What measures does Motor City Co-op Credit Union take to protect online banking users from these types of online attacks?

Our online banking users are protected by multi-factor authentication and the ability to personalize the site by choosing the colors and backgrounds that are displayed when they use online banking. That lets online banking users know whether they are on the right site or whether their online experience has been hijacked by someone attempting to steal their personal information.

Until recently, most financial institutions let online banking users log into their secure interactive sites with a PIN and a password, which means they were relying on a single factor for proving, or “authenticating,” the user’s identity.The Federal Financial Institutions Examination Council (FFIEC) has recommended that financial institutions begin using multiple factors to prove identification to log into online banking by year-end 2006.

We have already adopted multi-factor authentication. We now use three steps to authenticate user’s identity:

  1. The first step consists of a random security code generated by the server. The user views this code and then enters it on the same screen as the account number.This proves that a real person is accessing the screen, rather than a hacker’s computer that is making an automated attack to try to gain entry.
  2. Second, we ask users to answer a “challenge question” containing information that is known only to the authorized user.Once the correct answer has been entered, the user is directed to submit a user name and password. The challenge question is skipped if the computer is already registered with the server.
  3. The final step involves entering a personal identification number (PIN) and viewing an image known as a “security key.” The security key is selected by the user and can be either text- or picture-based. This key helps users verify that they are on the genuine financial institution site, rather than a “spoofed” site operated by online criminals aiming to steal personal financial information to commit identity theft or fraud.

How are you telling online banking users about the phishing attack?

A notice will be posted on the front page of our Web site under Consumer Alerts. Employees would inform members who visit the branch or contact us by telephone to let them know about the phishing attack. We would also have signs posted in our branches and at drive-up windows.

Are financial institutions the only targets of phishing attacks?

No. Phishers also target online merchants and credit card companies.

What should I do if I receive an e-mail that appears to be a phishing attack?

  1. First, do not click any links within the e-mail or respond directly in any way. Close your browser to get the e-mail off your screen.
  2. Second, contact the organization that is listed as the sender of the e-mail. They will let you know whether it is authentic. You can get their contact information by going through the Internet, but again, do not click on any links within the e-mail. Instead, open a fresh copy of your browser and enter the URL or perform a search on Google.
  3. If the e-mail is fraudulent, they may ask you to send them a copy so they can share it with the authorities. If not, then delete it from your system.

I already responded to the e-mail and shared personal information. What should I do?

Start by reporting it to the organization that was listed as the sender of the e-mail. In addition, you should report it to local law enforcement. Change your user name and password access for the affected accounts. Finally, monitor your financial accounts, including credit card accounts, for unauthorized activity.

Is phishing related to identity theft?

Some phishers attempt to gather personal information that can be used for identity theft, such as Social Security numbers and information about financial accounts. If you think you might be the victim of identity theft, it’s important to monitor your credit report in case anyone opens unauthorized credit accounts in your name. Again, you should always monitor financial accounts, including credit card accounts, for unauthorized activity.

How can phishers and pharmers make their e-mails and fake Websites look so real?

Over time, cyber-criminals have learned to create messages that can seem to genuinely come from the legitimate site. They may “borrow” a company logo, copy the format and colors used on its Web site, or imitate the language used in the organization’s real communications.

How can online banking users stay safe online?

We recommend these five steps:

  1. Never click on e-mail links.
  2. Enter Web addresses in the browser bar instead of using e-mail links.
  3. Never share financial or personal information by e-mail.
  4. Tell Motor City Co-op Credit Union about suspicious e-mails that contain our name or logo. Inform other organizations if you suspect they are being “phished” or “pharmed.”
  5. Check accounts regularly to spot fraud or unauthorized account access.