Hawaii State Federal Credit Union

What is phishing?
Phishing (or vishing) is an attempt to obtain sensitive information regarding a consumers account that could be used to fraudulently obtain information, money or loans.

The perpetrators of phishing attempts are trying to fraudulently acquire sensitive information, such as passwords and credit/debit card details, by masquerading as a trustworthy person or business in an electronic communication. Phishing is typically carried out using e-mail or an instant message, though they are now appearing in phone text messages. Again, these phishing attempts appear to be official, advising that the recipient must take action or something will happen to their account(s).

It is important to note that no reputable financial institution would ask for sensitive data (like social security numbers, PIN codes or account numbers) via e-mail, IM or through phone text messages.

How did the perpetrators get our members’ e-mail addresses?
Phishers use randomly generated e-mail addresses (created through software) or utilize stolen e-mail lists. Some also obtain lists of e-mail addresses that were purchased on the black-market or from reputable companies before the Privacy laws took effect. The perpetrators did NOT obtain members’ e-mail addresses from HSFCU.

How to spot a phishing e-mail?
Phishing e-mail messages, and the websites they link to, typically use familiar logos and familiar graphics to deceive consumers into thinking the sender or website owner is a government agency or a company they know. Sometimes the phisher urges intended victims to "confirm" account information that has been "stolen" or "lost." Other times the phisher entices victims to reveal personal information by telling them they have won a special prize or earned an exciting reward. Look for these red flags in the e-mail:

It asks you to provide personal information such as your credit union account number, an account password, credit card number, PIN number, mother’s maiden name, or Social Security number.
It does not address you by your name.
No confirmation of the company that does business with you, such as referencing a partial account number.
It warns that your account will be shut down unless you reconfirm your financial information.
It warns that you’ve been a victim of fraud.
It contains spelling or grammatical errors.

How can the members reduce their risk to being "phished" in the future?
There is no way to absolutely eliminate the risk of receiving a phishing attempt. The most important thing to remember is not to respond, however, here are a couple of ways to help protect yourself:

View any e-mail request for financial information or other personal data with suspicion.
Do not reply to the e-mail and do not respond by clicking on a link within the e-mail message.
Contact the actual business that allegedly sent the e-mail to verify if it is genuine. Call a phone number or visit a website that you know to be legitimate, such as those provided on your monthly statements.
Do NOT send personal information (e.g., credit or debit card number, Social Security number, or PIN) in response to an e-mail request from anyone or any entity.
Be cautious. Check your monthly statements to verify all transactions.
Forward any e-mail messages claiming to be from HSFCU (or your Visa/Mastercard card issuer) asking you to provide your personal account information to HSFCU.
Change your e-mail account regularly.

Reporting Suspicious E-mail / Phishing Attempts
If you received a suspicious e-mail message and you’re not sure if it is legitimate, please report it here.

Members may obtain additional information regarding this subject from: http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm

Just When You Thought it Was Safe: Vishing Makes a Splash on the Web

Leave it to Internet crooks to be endlessly inventive. As soon as one scam is discovered, another one takes its place. The latest innovation in identity theft is a variation on phising called "vishing," or voice fishing. The first recorded incident took place in June of this year, involving a bank in Santa Barbara. A second incident, involving Paypal, occurred in early July.

Similar to the typical phishing scam, vishing involves contacting potential victims by e-mail or phone, usually to alert them that their credit card has been used illegally or that someone has been trying to gain access to their account. Rather than direct targets to a phony corporate web page, vishing scammers instead ask victims to call a toll-free number. This leads to a recording that prompts cardholders to verify their account number by entering it on the keypad. If the target does as instructed, he or she becomes fair game for identity theft.

Vishing Made Possible by Internet Phone Service
The new world of Internet telephone service has made Vishing possible. For one thing, it’s easy to establish a Voice over Internet Protocol (VoIP) phone number immediately, through services like Skype or Vonage, without the same level of verification required for a traditional phone line. Thieves can establish a VoIP phone number with nearly the same ease as setting up a new email address. Also, Internet phone service allows for automated random calling, so a large quantity of potential victims in a specific area can be targeted, which has a number of obvious appeals for e-scammers. (Vishing, like phishing and related scams, is a numbers game.)

Most importantly, a VoIP phone number makes it easier for callers to mask their identity and location. Commonly known as spoofing, this practice makes vishing particularly effective. A criminal operating from anywhere in the world can give his potential victim a number to call that has the same area code, even the same prefix, as the financial institution with which that person holds an account. It is very believable - and believability is the identity thief’s bread and butter.

Advice on How to Avoid Becoming a Victim of Vishing

Common sense. Be suspicious of any caller who does not already know your basic personal details such as first and last name. Immediately hang up and report the call to the financial institution.
NEVER respond to a cold call. Even if you think the call is genuinely from your bank or credit card company. Instead, request the caller's name and extension and offer to call them back through the company's main number.
If you get a call from someone who claims to be from a financial institution with which you do business, and who knows your credit card account number but wants the three-digit code on the back of the card, immediately hang up and report the call to authorities.
If you get an e-mail message asking you to call a toll-free number to verify account information, delete the e-mail. Never provide personal information or account information based on an e-mail request.
Don't be fooled that the caller's phone number appears to be a regional telephone number—it could have been spoofed, which is easy to do using VoIP.

Source: www.identitytheft911.com

How to protect yourself from viruses while online:

• Always download the most current security updates for your internet browser.

Internet Explorer users visit

http://windowsupdate.microsoft.com

Netscape Navigator users visit

http://channels.netscape.com/ns/browsers

• Never respond to requests for personal information via e-mail.

Hawaii State FCU will never ask for any personal information in an e-mail. Be wary of e-mails which ask for your personal information, it can be a scam.

• Visit websites from your list of favorites or by entering the URL in your address bar.

Sometimes following links in an e-mail to a particular web site will take you to a spoofed site created by a scam artist who is looking to steal your information.

• Check to make sure the Web site is secure.

Before you enter any personal information, check to see if the web site uses encryption to transmit your personal information. In Internet Explorer you can do this by checking the yellow lock icon on the status bar located at the bottom right side of the screen.

• Routinely review your credit card and bank statements.

If you fall victim to identity theft:

• Immediately notify all three credit reporting agency’s fraud divisions and ask that your file be flagged with a fraud alert.

Equifax

1-800-525-6285

www.equifax.com

Experian

1-888-397-3742

www.experian.com

TransUnion

1-800-680-7289

www.transunion.com

• Report the crime to your local police or sheriff’s department.

• Notify your creditors and financial institutions to cancel all your accounts and set up new ones with new account numbers.

• Contact the Identity Theft Hotline at

1-877-IDTHEFT (438-4338).

Counselors will take your complaint and advise you on how to deal with the credit-related problems that could result.