An Important Message from CO-OP Financial Services
CO-OP Financial Services would like to share some basic fraud intelligence about intermittent scams that are currently operating in the state of Michigan and potentially other areas of the U.S.
Criminals in possession of card details and other forms of personally identifiable information (PII) are spoofing credit union phone numbers in an effort to fool credit union members into thinking that text messages are actually from the fraud department of a particular credit union. Fraudsters are sending text messages under the guise of trying to validate recent card activity and are including hyperlinks within some text messages.
Fraudsters are also using text messaging to deceive credit union members into providing card related data and log in credentials. Instances have been reported of fraudsters impersonating members to request a change in contact information such as mobile numbers. Fraudsters have also contacted credit unions, impersonating members to report upcoming travel as a means of lowering the monitoring of debit and credit card transactions.
Attacks to obtain personal information from credit union members are known as SMishing (SMS text phishing) and Vishing (Voice phishing). A typical SMishing occurrence can begin with a member receiving a text message inquiring about a suspicious transaction on an account. In reality, the fraudster is looking to obtain other information from members such as debit card numbers, CV2 codes, expiration dates, PINs and other web login credentials.
Below is a summary of items included on a valid fraud text message from CO-OP on behalf of a credit union and what items will NOT appear on a legitimate outbound message.
SMS/Text will include:
• CU abbreviated name
• Last 4 of Card #
• $ Amount in question (with dollar sign)
• Merchant Name
• Reply Options: YES, NO, STOP (to opt out)
SMS/Text will NOT include:
• Requests for CH data, such as card numbers, PINs, CV2 Codes, Expiration Dates
• Vague reference of “Merchant” Transaction details should be included
• Hyperlinks to unknown websites
• Phone Numbers as Hyperlinks
In another scenario, fraudsters are posing as credit union employees in order to obtain One Time Passcodes (OTP) from members. While on the phone with a member, the fraudster logs into a credit union online banking site. When the OTP is sent to the member’s phone, the fraudster asks the member to provide the OTP as a means to validate the member. When the information is shared with the person the member believes is a credit union employee, the fraudster uses the OTP to finalize access to online banking, which is typically followed by changing the online banking password and transferring funds from member accounts.
Suggested Best Practices for Members
• Be cautious when responding to SMS text messages as well as voice calls, even if they appear to come from the credit union.
• Call the credit union using a reliable phone number to question any SMS text messages or voice calls purportedly from the credit union.
• Never provide personal information in response to SMS text messages and phone calls purportedly from the credit union.
• Do not click on links included in text messages from unknown sources. Legitimate requests to validate card activity will request a simple response of YES or NO. They will not include hyperlinks to other websites or ask for any personal info.
If you have any questions, please contact
FraudTeamCO-OP@coop.org.
Click here to visit our Alerts, Financial Protection & Education page where you can keep updated on fraud and other scams, as well as ID theft protection and various resources to utilize.