Key takeaways from this article:

• Always be cautious
• Don’t open links in text messages or give personal information over text
• We will never call, text, or email you requesting passwords, PINs, or other identifying information. When in doubt, hang up and call us back.

Hackers never sleep. Since the global COVID pandemic has changed the way many of us work and handle personal business, malicious social engineering attack attempts have skyrocketed.

We’ve seen, at the business level, a massive increase in daily phishing attempts. Phishing takes many forms, and it is not limited to business targets, but the general formula is that an attacker is trying to engage an employee in a way that looks like a valid part of daily business. In the past, we would see these framed as shipping notices or payroll questions. Now, the majority are emails designed to look like expired password notices, secure document pickups, or voicemails.

Attackers are “phishing” for credentials. You might think of credentials as just a username and password to a website, but for businesses, one set of credentials could give access to many different systems. In this case, we’re looking at a phish that turns into a BEC (Business Email Compromise).

It is almost trivial to spoof an email address. It would take me only a few minutes longer to send an email that looked like it was from [email protected] than it would take to send an email from my real account. However, most commonly used email providers (e.g., Gmail, Outlook.com) have gotten better about warning their users of potential spoofs. You may have noticed a banner on an email like this: 

That’s where a Business Email Compromise becomes so valuable to hackers. If they can gain access to a legitimate email account, this type of protection is no longer valid.

So, what can you do as a member to protect yourself from such attempts?

The key defense is generally the same as other attacks: Always Be Cautious. Suspicion is key and can be scaled appropriately. I am much more cautious with my internet banking services than I am with my streaming services. Look for awkward uses of language or misspelled words. Look for an aggressive tone: “IF YOU DON’T RESPOND RIGHT AWAY, WE WILL HAVE TO TURN OFF YOUR DEBIT CARD!” Be wary of web links or requests to fill out a form. Never give any personal information unless you are absolutely sure of the sender.

Texts (SMS) can also be a risk. The IRS recently warned about phishing via text message. They published a short video with some good information.

Our fraud office does use text messaging to confirm possible fraudulent charges, especially when traveling. These texts will only ask you to confirm if a specific charge is valid, and will ask for no other information. Otherwise, we will never ask for personal information or credentials via text. 

When in doubt, give us a call at 1-800-444-5858 or email us. Our team will be happy to confirm if a message is legit, and if it isn’t, we can take measures to protect other members from similar attempts. You can also visit our fraud resources page to learn other ways to protect yourself.

Thank you for allowing us to be your financial partner. Be safe!

Eric Keyser
SVP/CIO
Pacific NW Federal Credit Union