CHICO, Calif.-Joe Kelly had a rude awakening recently, when his members became targets of a text messaging scam.
Kelly, the CEO of STAR Community CU here, said early on the morning of June 14 a fraudulent text message was broadcast to hundreds if not thousands of AT&T mobile devices in the Northern California area. The text message indicated it was a "banking alert" from STAR CU instructing recipients to call a "secure phone line." But instead of this being a legitimate message from the credit union, it was an attempt to dupe people into calling a recording that asked for card holder information such as credit and debit card numbers, PINs, and passwords.
"I became aware of this scam about 6 a.m. as I monitor e-mails to the credit union using my BlackBerry device when the office is closed," Kelly said. "I was able to contact and alert other employees of the credit union before normal business hours as to what was happening."
At 8 a.m., when STAR's branches opened, Kelly said the phone lines were jammed by calls from members and others in the community who had received the fraudulent text message. Non-members were calling asking why the credit union had sent them a text message when they had no account with STAR.
"We acted quickly, which helped us head off potential losses," he told Credit Union Journal. "Other credit unions should know what we were confronted with if they ever face similar circumstances."
CU Strikes Back
STAR struck back on numerous fronts, including e-mail, newspapers, radio and television, Kelly recalled. He said within the first hour the credit union had posted a notice on its website advising members of the scam and had added an alert to its telephone answer message. STAR employed a new "E-blast" product it had recently obtained from its data processing vendor, which Kelly said facilitated the sending of an immediate alert to all of its members via an e-mail notifying them of the scam.
STAR contacted several local radio stations, who agreed to broadcast a Public Service Announcement indicating a fraudulent text message had been sent to AT&T subscribers throughout the region.
Later on June 14 contact was made with the local newspaper, which published word of the scam on its online edition of the paper as well as a print article which appeared the next morning. Three local television outlets broadcast an interview with a representative of the credit union, which was aired several times over the following two days.
"In all of the communications we had with our members, the public, the press and media we were careful to point out that this phishing scam was in no way the result of a compromise of credit union data; rather this was a result of an attack on AT&T mobile device users in which our credit union and potentially its members were being victimized," Kelly said.
In addition to the numerous telephone calls STAR received in the first few hours, it also received numerous e-mail inquiries. Member service representatives responded to each e-mail and telephone call using scripted information offering an explanation of what the credit union believed had happened and how those who had received the texts should respond.
Despite Warnings, People Give Info
According to Kelly, even non-members of STAR unwittingly replied to the text message by calling the number and giving information that would compromise their card. As members contacted the credit union and admitted they may have given out personal information, their accounts were immediately blocked. One member had a suspicious $1 transaction charged against his account, which Kelly said likely was a precursor to a much larger fraudulent transaction.
One of the more difficult aspects of the scam was getting the supposed "secure phone line" shut down. Due to number portability, it was difficult to identify the true owner of the telephone line and the carrier. STAR reported the incident to its local police department and the Federal Trade Commission, but Kelly said AT&T had to get involved before the number could be turned off.
Nine days after the scam hit the text waves, Kelly reported things have died down after the initial flurry of activity.
"The half-life of this was short-people either responded to the text or deleted it," he said, adding similar text messages were sent to members of Yolo FCU in Woodland, Calif., and SAFE FCU, North Highlands, Calif., in approximately the same time frame.
Asked what lessons can be learned by other CUs as a result of this experience, Kelly said despite numerous warnings about not giving out information text banking is a new enough technology the "immunity" is not yet there.
"The best advice I can give it to immediately post an alert on your web page as prominently as possible," he said. "We got a number of e-mails and phone calls from the alert we posted, and we were able to follow up with an e-mail. We have tried to inform our members in newsletters and statement stuffers that we will never ask for this information, but unfortunately people still fall for it."
