HVFCU, along with many other financial institutions, has had multiple phishing attempts targeted against us. First and foremost though when understanding phishing, it is important to note that HVFCU’s systems have never been compromised in a phishing attack.
How Phishers Get & Use Your Email
Each phish is different and may or may not be perpetrated by the same criminals. Typically, the phish follows a similar pattern as described below:
Phishers start with a large database of email addresses that is created for sending spam. Such lists can be purchased online from overseas sellers for as little as $29.95 and contain millions of email addresses. The phishers then attempt to extract a subset of the list for use in a phishing campaign that is usually geographically targeted. For example, if the phish target institution is in Poughkeepsie, NY, they will do some quick research on the internet to find the email domains that are from that area, including employers, Internet Service Providers, government agencies, etc.
Some spam lists provide even more detailed geographic information that is derived from “web bugs.” Web bugs are single pixel images referenced in a spam email. You probably aren’t even aware the image is there. When you open the email, your email program downloads an individualized image from a website hosting the image. The spammers now have an IP address, contained in the web server log, which corresponds to your email address. Using a simple lookup, they can determine the geographical area that an email address is located. Once automated, this is an effective tool, and with these and other methods, phishers can create focused attack lists without the need to get any information beforehand from the institution or its members. As good as these focused attempts currently are, every one of them has included large numbers of individuals who have no relationship with HVFCU and who are not from the geographic area that we are chartered to serve.
Examining a Phish
In the past, we have had the opportunity to review the code from an actual phish as well as spam databases available over the Internet. We were surprised to discover that many phishers have the BIN codes for tens of thousands of financial institutions that provide credit cards services. If phishers can retrieve your email address and the first six digits of your credit card from an online transaction or other means, they easily can determine the financial institution with which you do business.
Additionally, we have examined spam databases that were so organized and detailed that they grouped area codes within a state and contained names, addresses, and the sex of the email address owners.
In prior phishing attempts perpetrated against HVFCU, member information was neither compromised nor used in any of the phishes. We do and will continue to review the security of our systems when a phish occurs. The phishers likely have a large set of email addresses that they think could have an affiliation with HVFCU, based on geographic location or other factors.
Have You Responded to a Phish?
If you do follow the link in a phish and provide your personal account information on the fake website, you should consider your accounts compromised and call us at 845.463.3011 / 800.468.3011 immediately for assistance in blocking account and credit card usage. Generally, once the phishers have gotten you to disclose your information, they will almost immediately begin trying to make purchases or ATM withdrawals with your credit/debit card or attempt to transfer money from your checking/savings accounts into a different account. They might even send a person into a physical branch to establish an account to have money transferred into.