First Problem: CU's ID Stolen. Second: Who To Call?

Register now

As a number of credit unions are finding out, it's all too easy for someone to assume the credit union's identity online. But many are also now learning that it's not so easy to track that person or persons down in order to prosecute them or even simply ask them to stop, in part because there is no one agency to turn to when it happens.

NCUA, for example, doesn't generally get involved unless something specific about a case gives the regulator jurisdiction in it, according to Cliff Northup, spokesperson for the federal agency.

"It's usually something for the FTC, but we'll post fraud alerts from time to time, and CUNA Mutual Group has its fraud alert system, too," Northup suggested. "Sometimes we may refer it to our general counsel. There's no standard process. We have to look at it on a case-by-case basis."

In the case of Century CU, St. Louis, where the credit union's website was literally copied word-for-word, font-for-font, logo-for- logo, NCUA was able to get involved because one of the logos copied on the bogus website was the NCUA-insured logo.

"At that point, we were able to step in," Northup explained. Initial calls by the credit union to the web hosting service on which the bogus site was set up failed to convince the web host to shut down the site. But after a call from NCUA and a few more by the CU itself, the site was shut down.

But to date no cease-and-desist letters have been sent out in the Century CU case because the person or persons responsible for the bogus site have not been traced.

So, if it doesn't really fall within the NCUA's purview, whose is it? Not the Federal Trade Commission's, according to FTC Spokesperson Claudia Bourne Farrell, who told The Credit Union Journal that unless there is spam involved, for example, the FTC wouldn't be the proper agency to call in, either. "This sounds like fraud, and that's criminal, and we don't get involved in criminal cases," she advised.

A credit union can go to the Internet Corporation for Assigned Names and Numbers (ICANN), the non-profit corporation that was formed to assume responsibility for the Internet address space allocation, protocol parameter assignment, domain name system management, and root server system management. But a credit union shouldn't expect a whole lot of help from ICANN, either.

Not The Internet Police

"We are not the Internet police," said ICANN's Mary Hewitt. "We don't (track) this kind of thing. I'm not sure anyone really does. I don't know that there's a lot of good information out there on this. It's tough because the Internet is global by its very nature, and it's difficult to pinpoint a single problem. There are 300-million domain names in the U.S. alone. Like I said, we are not the Internet police, we are not a consumer protection agency."

There are different avenues for recourse, but they can be expensive-and more to the point, it won't matter how much a credit union is willing to spend on such a project if the person or persons responsible can't be located.

"You can file a lawsuit, but of course, first you have to be able to find them," Hewitt commented. "If you can find them, you can also contact the person and ask for the domain back, in some cases they'll make you buy it back. But cheaper than filing a lawsuit is to go through the Uniform Dispute Resolution Process."

In stark contrast to how difficult it is to monitor this type of activity, is how simple it is to engage in it. Setting up a website can be extremely inexpensive, and even free. "Of course, what happens is, when you get a freebie website and something goes wrong, you find out that there's a huge service fee," Hewitt noted.

But a scammer seeking to usurp a credit union's identity may not be that concerned about servicing, particularly since the scammer knows it's only a matter of time before the credit union he is trying to impersonate discovers the bogus site-and that's often only after a member has been victimized.

When Fort Jackson, (S.C.) FCU realized someone was trying to use its identity on the web, it took swift action-and also notified other CUs in the state to beware of this activity.

"We found out about the bogus site when a member mentioned something to us about it," FJFCU CEO Bill Koehler told The Credit Union Journal. "The site was at; our website is It was a domain name that we hadn't thought to register."

Despite using the Fort Jackson FCU name in the actual URL, there is no mention of the Fort Jackson FCU name anywhere else on the site. "It appears to be a legitimate credit company that links to other credit card groups, driving people to these sites by pretending to be us," Koehler explained. "We're waiting to hear back from the FBI. It looks like it's an overseas company. But if they're doing this to us, they're doing this to other credit unions, too. We're curious about what we can do, but it doesn't look like there's much. There just aren't a lot of rules and regs on the Internet."

That leaves the onus on credit unions.

Advice From One CU

"You do need to go out there and do a web search," Koehler advised. "I wish we had reserved any kind of domain name that was at all similar to ours or could be construed as ours. It's a scary thing. Credit unions are being targeted because our members are loyal, and we've developed a good reputation, and they want to cash in on that. Plus, they are preying on individuals who may have some credit problems, and many credit unions do try to help these kinds of people, so I guess that makes us a logical target."

For reprint and licensing requests for this article, click here.