IU Credit Union members scammed

Several IU Credit Union members this week were the target of a "fairly sophisticated" fraudulent phishing e-mail scam designed to steal users' account information, debit card numbers and pin codes. Mark Weigle, the credit union's vice president of management information systems said they know of at least 15 to 20 people who have responded to the e-mail and have had some of their credit information compromised. They have had their accounts shut down to prevent any illegal transitions from taking place. \n"Phishing attacks have two parts -- an e-mail and Web component," said Alex Tsow, an Informatics visiting research associate. "Typically the e-mail is a spoof message appearing to come from someone of trust asking you to follow a Web link that requests personal information. That Web page is actually fraudulent, and just someone pretending to be that company."\nIn the case of the credit union many of its members received the phishing e-mail this week informing "IU Credit Union Customers" that they must respond with an update of their account information including debit card number, debit pin code and their expiration date or their account will be deactivated and deleted. \nWeigle said people should immediately be able to tell the request is not legitimate because it is the credit union's policy never to solicit that kind of information via e-mail, and they never refer to its users as "customers" but instead "members". He added that the Web address on the link was clearly not that of the credit union. \nDespite these differences from a legitimate message from the credit union, Weigle said on the surface it can easily be seen as looking like the credit union was actually sending the e-mail and the "surface" of the fake Web site matched closely with the actual one. \nInformatics graduate student Jacob Ratkiewicz, who specializes in phishing technology, said people should be suspicious any time they receive an e-mail requesting to "update their account information" especially if it contains a threat saying that the account could be deactivated. \nTsow added that the best way to avoid being a victim of phishing is to simply navigate independently to the site instead of following a link on the Web page. That way any type of phony link can be bypassed. \nWeigle said users' brith dates, drivers license and social security numbers were not being targeted, and the credit union is resetting account information that may have been compromised if someone responded to the message. \n"We are closing their accounts and reopening them with new ATM, new debit cards and new checks," he said. "Its not totally painless, but at least they are protected from their old account." \nWeigle said they do not know the exact scope to how many of its members received the e-mail, but he said it was a seemingly significant number. While most people targeted had indiana.edu e-mail accounts, he said they have also seen other providers from AOL, Yahoo and even someone from Purdue. \nAt the credit union's latest count, Weigle said they have identified five separate Web sites that the phishing e-mail directed its victims to and they believe only three have thus been shut down. He added they believe the sites were set up on someone else's compromised server so that it would be very difficult to trace it back to the perpetrator of the scheme. He said the job of locating someone who did this would be the responsibility of the FBI or Interpol, since the majority of these are conducted overseas. \nTsow said after reviewing the fraudulent e-mail it appears "pretty unsophisticated based on today's standards" as it is not as threatening as other large scale Internet frauds. However, he said this illustrates a growing trend of smaller companies and banks being attacked as they generally do less to educate consumers and attacks are less noticed as they tend to "fly under the radar" before it's too late. \nWeigle said he encourages anybody to contact the credit union if they have responded to the e-mail or if they have received the e-mail and think they are at risk. \n"The sooner we know about that they have responded (to the e-mail) we can take care of monitoring their accounts," he said. "This (site) looked very close to ours and without thinking someone could easily clicked on that link."\nThe IU Credit Union's Web site is www.iucu.org. A helpline is available at 855-7823.