LAPD investigating USC credit union e-mail scam

LOS ANGELES -- While the Los Angeles Police Department investigated 16 identity theft crimes that occurred between Aug. 4 and Sept. 5 using student, faculty and staff accounts at the University of Southern California Credit Union, at least 1,000 fraudulent e-mails were sent to Credit Union customers in August.\nPeter Tom, vice president of member services at the Credit Union, said he did not know if the 16 cases under investigation were related to the fraudulent e-mails. \nFor the second time in a month, thousands of members of the USC community received a fraudulent e-mail that potentially compromised their financial accounts and personal identities. \nFirst-year graduate student Murtaza Motiwale unwittingly risked losing about $6,000 Aug. 31 when a fraudulent e-mail persuaded him to enter his USC Credit Union account number and password on a bogus Web site that strongly resembled the authentic one.\n"I don't know how I got fooled," Motiwale said. "I've been doing a lot of online banking, and I am usually pretty aware of that sort of thing." \nMotiwale was among the more than 1,000 USC students, faculty and staff who received an e-mail with instructions to verify their personal information within 48 hours or risk having their accounts blocked. The e-mail provided a link to a Web site that looked like the USC Credit Union Web site, except the black-and-red color scheme was transposed. \nMany customers clicked on the link but did not enter their account or personal information. \nRobert Layton, a first-year graduate student, said he did not respond to the request because he knew any legitimate financial institution would not ask for that type of information through an e-mail. \n"I don't give any personal information online or over the phone unless I initiated the conversation," said Layton, who has been a Credit Union customer for five years. \nTom said most customers fooled by the e-mail were students who opened new accounts during the summer. \nAfter Motiwale entered his account number and password, he was directed to an unfamiliar Web site requesting his personal information, like his name and address. \n"I immediately became suspicious and closed the window," said Motiwale, who then called the Credit Union. \nA customer service representative immediately froze his account and instructed him to either reset his password or come into the bank to open a new account. \nTom said he did not know how many people chose to reset their passwords but said Motiwale was one of at least 32 customers who, as of Sept. 6, chose to close their accounts and open new ones. \nThe Credit Union offered free replacement of all checks and financial cards, Tom said, but the process to open a new account took some customers more than two hours, depending on the complexity of their accounts. \nTom said fewer people were fooled by the Aug. 31 e-mail than by the similar e-mail sent Aug. 2 that motivated 60 people to close their existing accounts with the Credit Union.\nAlthough no one reported suspicious account activity, Tom suggested customers who entered more than their account numbers and passwords should take precautionary measures to prevent identity theft by selecting new passwords for their financial accounts and reporting the incident to the three major credit reporting agencies: Experian, Equifax and TransUnion. \n"Members should also periodically monitor their banking and credit card accounts and read our tips online," Tom said. \nIn response to the initial fraudulent e-mail, the Credit Union posted an alert and a set of guidelines for victims to follow on its homepage. \nWithin hours of noticing the second fraudulent e-mail, the Credit Union distributed an e-mail to all of its customers warning them of the scam, while Information Technology Services blocked computers within the USC network from displaying the fraudulent Web site. \nBoth sets of fraudulent e-mails were part of a phishing scam, which uses the trusted name of a well-known financial institution, online retailer or credit card company to convince recipients to divulge personal information such as their Social Security numbers and credit card account numbers.