Category Archives: Phishing

NACHA Phishing Email

History sure is repeating itself an awful lot lately. In a similar vein to the FDIC Phishing Emails I wrote about the other day, now there are malicious messages that claim to be from NACHA, which contain links to what is very likely some form of virus or spyware.

NACHA is the National Automated Clearing House Association (not to be confused with NACHO, a tasty corn chip-based snack). The organization is involved in networks that handle ACH transactions for financial institutions across the country. Much of what NACHA does is regulatory rather than operational in nature.

Here’s a sample of the email:

From: Information
Sent: Thursday, July 22, 2010 8:27 AM
To: Doe, John
Subject: Unauthorized ACH Transaction

Dear bank account holder,
The ACH transaction, recently initiated from your bank account, was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:

Unauthorized ACH Transaction Report

Naturally, the link is fake. In this case it probably executes malicious code on your computer.

Add NACHA to the list with the FDIC and NCUA—none of these organizations ever contacts consumers directly. NACHA doesn’t even handle actual ACH transactions; they’re involved in the setup of the networks that handle them.

It’s important to get in the habit of ignoring email. Even when it’s not phishing or scams, ignoring email is a great way to save time (for example, I almost never open anything with “FW:” in the subject line, because they’re almost always dumb).

But when messages like this arrive, you must make sure to never click on the links, even “just to see.” While many phishing messages take you to pages designed to steal personal information, many (if not most) phishing websites now give you a one-two phishing/malware punch; if they can’t get you to enter your account numbers, at least they can hit your computer with some spyware, which will be loaded and executed before you can even blink.

Coca-Cola Scam on Facebook: what the heck is a ‘Coca-Cola Scam’?

Here’s the latest scam to make its home on Facebook.

A link shows up in one of your friends’ status that says, “I am part of the 98.3% of people that are NEVER gonna drink Coca Cola again after this HORRIFIC video.”

When you click the link, you are given the runaround (the video doesn’t exist at all) until finally you are taken to a poll that asks you to reveal personal information.

It’s almost as if the crooks have figured out how to make money off Facebook before Facebook did (Facebook has attracted billions from venture capitalists, but from what I’ve heard, they’ve yet to actually stumble upon a working business model).

When you’re on Facebook, you simply cannot implicitly trust links, even when posted by a friend. That goes double for links to ‘scandalous’ videos or images, such as the example here. Your friend’s account may have been compromised, or they might be posting links in an attempt to receive some form of payout or reward.

If you’re looking at a shortened URL (such as, use a site like LongURL to preview it before you go. However, the URL might not necessarily be shortened (as in this case), although you can still use LongURL to preview most sites.

Another way to check is to google a phrase from the link, to see if news of a scam or phishing attack pops up. Again, though, if it’s brand new, the word might not have gotten out yet (and it takes time for things to appear in a Google search anyway).

Whatever you do, exercise caution at all times, and never enter personal information or passwords on any site that you arrived at via Facebook or Twitter. Once you’re logged in, there is no reason to log in again, and there is exactly zero reason to reveal nonpublic personal information.

FDIC Phishing Emails

This has happened before, and it’s happening once again now.

People are getting email messages that claim to be from the FDIC (Federal Deposit Insurance Corporation). This is the entity that watches over banks and makes sure you don’t lose your money if your bank would fold. The credit union version is called the NCUA (National Credit Union Administration). They both provide nearly identical services.

These emails inform the potential victim that their bank has failed, and that they need to “check [their] Deposit Insurance coverage” by clicking on a link within the message. Naturally, what happens next is that the scammers obtain your account number, password, and other personal information.

You can only use typography to convey emphasis to a certain extent without getting silly, so in lieu of typing the following in 72-point text, I’ll let bold italics do the job:

The FDIC (or NCUA) is never going to contact you via email for any reason, nor will they ever ask you for personal information, account numbers or passwords.

Got it? As Tom Hulce’s Mozart, on his deathbed, pressed F. Murray Abraham’s Salieri in Amadeus, “Do you have it? Do you have it?!

Good. If you get one of these messages, delete it immediately.

Social network phishing

I read an article the other day about Tweets promising free Twitter followers being a phishing scam.

I’d go into details, but it’s the same old story: you click on a link, which takes you to a website that asks for your Twitter username and password. Once the phishermen have this information, they lock you out of your own account and use it to perpetuate the phishing attack or to drive people to other scam websites. The same thing happens on Facebook. When one of your friends suddenly can’t seem to write in coherent language and starts shouting about some iffy product or cheap prescription drugs, that’s a sure sign of a phishing victim.

The thing that bothers me is how well it seems to be working. Why so much emphasis on increasing your Twitter followers?

If you’re a celebrity, I can understand why you’d end up with over a million followers just on the basis of  who you are. If you have a proactive sort of agent, you might even be encouraged to look at your number of followers as a metric of how much “star power” you’ve got.

If you work in the marketing department of a company and have spent six months convincing management that the company really needs a Twitter account, I can understand the desire to get as many followers as possible in a short amount of time.

However, if you’re just somebody who uses Twitter as a communication tool, what reason is there (beyond your ego) for thinking you need to add a hundred random followers (and subsequently falling for this scam)? Unless you’re doing something interesting on the site (telling us what your cat is doing is not one of them), I can’t think of any. For the 99% of us who are “just sorta there,” is there really any advantage to having scads of followers?

You might think this is going to lead into, “What’s the whole point of Twitter, and why don’t you just go outside for once?” but I’ll resist the temptation. Twitter’s neat, and I see the appeal. However, AOL was pretty neat at one time, too.

So have at it—use Twitter. Complain about the cruddy customer service at a store and see how scary-quick they respond to you. See what Pee-Wee Herman and LeVar Burton are up to. But never click on those “add more followers” links, and never, never, ever enter your username and password on a website other than the real Twitter page.

And go outside now and then.

Couldn’t resist.

Fraud Prevention Templates: how financial institutions will and will not contact you.

Financial institutions (FIs) and the Internet: two things that seem to work together so beautifully. How simple is it to check your balance or pay a bill online these days?

At the same time, phishers (phishermen?) have used this fact to commit millions of dollars worth of fraud and identity theft over the past decade. Is there a general rule to be derived here?

You can’t just say “never trust an email or a text from a financial institution,” because credit unions, banks and credit card companies definitely use email. There’s no arguing that point; I personally get most of my bills through email, and I stopped receiving paper statements years ago. It’s safer than postal mail as long as you use strong passwords, keep them to yourself, and change them up now and then.

Many FIs also offer services for mobile phones, from “your account is getting low on funds” text message alerts to mobile banking applications for “smart phones.”

So how do you tell the difference between a real email and a phishing attack? That brings us to today’s Fraud Prevention Template:

If an email or text message from a financial institution asks you to click a link to login and “verify” or “reactivate your account,” it is a phishing attack. Delete the message immediately.

FIs just don’t send these types of messages out.

When you open an account, your FI is required to get your personal information. They check this information against national databases to verify it. Once an account is open, they’ve got your information. There is no need to have you verify it online. Any verification is already complete.

Sometimes credit card companies may contact you regarding unusual activity on your card. This is a security feature. However, they also never ask you to verify personal information.

I got a call a while back, after a trip to Florida. An automated message gave the name of the card and said there had been some unusual activity. If I knew where the card was, it said to press “1.” Since the card was right there in my wallet, I pressed “1.” That was the end of the call. At no point did I have to verify personal information.

Of course, this also illustrates how important it is to keep your phone number, mailing address and other contact information current with any FI you have a relationship with.

If you sign up for text message alerts from an FI, you’ll also never be asked to verify or reactivate anything.

In all honesty, if there’s fraud on your account, you will probably be the first to notice it. If someone has your account number and password, your bank or credit union probably won’t know the difference, since they can’t see who is sitting behind that computer. Someone with stolen credentials siphoning a few hundred dollars out of an account won’t even register as suspicious. They won’t contact you—you’ll be the one calling them, asking where your money went.

Finally, if you’re unsure whether or not an email message might be genuine, the way to find out is not to click on that link. Call your FI directly, using either a number from their actual website or by looking in an old fashioned phone book.

However, I think you can skip that step. When it says “verify” or “reactivate,” it’s phony.

Fraud Alert: CUNA does not contact credit union members.

Reports of a phishing attack using the Credit Union National Association (CUNA) have come in from the Park Hills, Missouri area.

In this scam, victims were contacted on the telephone by an automated message claiming to represent CUNA and telling them their ATM cards had been deactivated. Victims were instructed to enter card numbers and PINs. It’s not known whether anyone fell for it.

CUNA is a trade organization for credit unions. They do not have your account details, or even know your name. They are not a financial institution; there is no such thing as a “CUNA account,” unless you’re a credit union and you’re buying Credit Union Youth Week marketing materials from them.

Never give out card numbers, PINs or other account information to anyone who requests it online or by phone. It doesn’t matter who they claim to be, what the caller ID says, or if it “sounds” like it could be legitimate. It never is. If you’re unsure, hang up and use a verified phone number to contact your financial institution directly.

Valentine’s Day scams: phishing, malware and identity theft.

It doesn’t matter what it is, there’s always a scam based on it.

As February 14th approaches, in addition to the usual horrible rom-com movies and terrible greeting card poetry, there are some specific types of fraud you’ll want to avoid.


If you get an email that says your online floral purchase didn’t process and that you need to re-enter your credit card information, it’s a safe bet you’re looking at a phishing message.

The link embedded in this email will take you to a site that might look legitimate, but is really only designed to steal your card information and possibly install malware on your computer. Delete the message with extreme prejudice. If you think it might be legit, contact the company directly, but most likely you’ll find out it was a scam.

It’s another example of how crooks adapt to the situation. 99% of the time, if you received this message, you’d know it was a scam. However, around the middle of February, there are hundreds of thousands of people to whom the phrase “just bought flowers online” applies. When this message goes out, it’s probably going to find a lot of potential victims.


I dislike e-cards. I really do. I don’t think I’ve opened one since around 1998, actually. To me, they’re either a waste of time (when they’re out of the blue) or a way to say “wanted to technically contact you, but didn’t want to spend $2 on a card and the sound of your voice is like nails on a chalkboard to me” (when they’re sent for holidays and birthdays). In any case, they’re never entertaining or sincere.

They’re also a source of malware infections. When you get an email that says you’ve got an e-card, proceed with caution. If you want to read it, the best thing you can do is contact the supposed sender directly to find out if they actually sent it to you. However, even the e-card sites that aren’t trying to nuke your computer with viruses can still annoy by installing adware. In any case, make sure your virus and spyware protection are up-to-date.

What I do is just delete them outright. If somebody asks, “Hey, ‘ja get that e-card I sentcha?” just reply, “Yeah—it was really great, thanks!” and leave it at that. Most of the time, you’ll be fine.

Identity Theft

People are looking for dates around this time of year, too. If you’re really desperate to have a date on 2/14, I guess my first piece of advice would be to ask yourself some tough questions, but if you can’t get past the idea of being single on V-Day, watch out when it comes to online dating sites.

First, there are fake dating sites designed to harvest credit card and personal information, putting you at risk of fraud. There are also people who post fake profiles, in an attempt to lure you into revealing personal information that can be used for identity crimes. Stick with the larger, more well-known sites, use a screen name instead of your real name, and set up a new email account with one of the free web-based providers. That way, you’re covered if they sell your address to spammers, and no weirdoes end up with your “real” email address. It makes it easier to disappear.

Don’t trust links to any dating sites that come in the form of unsolicited emails or via Twitter or Facebook. Those are almost always going to not be what is promised.

If it were me, I’d probably skip the online avenue altogether and consider attending a social event. Everywhere from churches to bowling alleys have singles events this time of year. Maybe try that; at least you won’t have to give up your credit card numbers.

Phishing Alert: “An unauthorized transaction billed from your bank card.”

Full text:

From: American Bankers Association
Date: Tuesday, January 26, 2010 7:41 AM
To: [incorrect address]
Subject: An unauthorized transaction billed from your bank card

An unauthorized transaction billed from your bank card.

Amount of transaction: $4939.02
Transaction ID: 398-0919604

Please review the transaction report by clicking the link below:

get the transaction report

Letter ID 5220-3934725346-65909286289-61670943682-28564758046-54608776360-66971173579

As usual, the way to respond to this message (assuming you’re not a fraud blogger) is to just delete it after you read the subject line. It’s a fairly obvious phishing attempt, from the disguised link to the large amount of the alleged transaction (which is supposed to make you panic and react without thinking).

The words “get the transaction report” contain a link to a site hosted at “” (as usual, don’t you even dare visit the site!). Now, I don’t know everything about the ABA, but I know this: their website is not hosted in Armenia (“.am”).

I also know another thing about the American Bankers Association: they don’t issue fraud alerts or unauthorized transaction reports to individual bank customers. Notice how it just says “bank card,” without specifying exactly which bank’s card has supposedly been compromised. That’s one of the top five warning signs of phishing.

If you receive the above message or anything similar, it is a phishing attack and you should delete it right away. And keep your cursor away from that link!

Remember that Facebook phishing email? There’s a MySpace version, too.

We all knew it was coming. Below is the full text:

From: Manager Stephan Goldman
To: [incorrect email address] 
Date: Thursday, January 07, 2010 9:02:10 AM 
Subject: MySpace Password Reset Confirmation!

Hey [incorrect username] ,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Your MySpace.

Attached was a file called “” that recipients would be advised to not touch with a thirty-nine-and-a-half-foot pole. Whatever’s in that ZIP file, you don’t want it. Trust me on this.

Once again, social networking sites are never going to email you a new password, and in general aren’t going to email you files at all.

Who the heck is “Manager Stephan Goldman?”

Anyway, delete this garbage if you receive it, okay?

Western Union phishing email: “Your Money Transfer Control Number: 590575482”

Here is the full text of an email message I received Wednesday morning:

To: [as usual, not my address] 
Sent: Wednesday, January 06, 2010 9:26 AM
Subject: Your Money Transfer Control Number: 590575482

Dear customer,

Thank you for using the Western Union Money Transfer®.

Your money transfer has been authorized and is now available for pick up by the receiver.

Transfers to certain destinations may be subject to further delay or additional restrictions.


Your Money Transfer Control Number [MTCN] is: 590575482

Please use this number for any inquiries.

Date of Order: Wed, 6 Jan 2010 16:26:48 +0100
Amount Sent: $94.50

You can cancel this transfer by using the hyperlink below:, 6 Jan 2010 16:26:48 +0100

Thank you for using Western Union!


I knew right away this was a phishing email. If I didn’t have these articles to write, I would have deleted it without even looking at the message itself.

Usually, when we think of “phishing,” the first thing that comes to mind is an urgent message that appears to be from a financial institution, instructing us to visit a website and log in to “verify” our account information. This results in revealing personal and account information to someone who will use it for theft (financial, identity or both).

This is a different tactic: make the recipient think a withdrawal is about to be made from their account, and hope they panic and click the link to cancel the transaction.

There is a distinct advantage to this method: when you send a message that claims to come from a financial institution, you usually have to pick one, which limits your potential victims.

For example, if you send out a million messages that look like they came from Chase or HSBC, 90% of your potential victims don’t have accounts at the institution you picked. They recognize it as phishing right away (and will likely recognize your next attempt as such, even if you happen to pick an institution they have a relationship with).

With this Western Union attempt (and its direct ancestor, the PayPal Phishing Email), they take advantage of the fact that anyone can use Western Union. You don’t have to have an account with any particular institution to wire money this way.

Now, I’ve never used Western Union. In fact, at my previous job as a bank teller several years ago (!), I completely weaseled my way out of learning how to use their new Western Union machine, because it arrived during my last two weeks on the job and I didn’t feel like getting into it. Yes, I told them that.

However, a quick look at their website tells me you can wire money online, and I’d be willing to bet that the text of this phishing email is directly taken from a legitimate Western Union message. In fact, the text of the message uses a real website (

The thing is, if you look at where the link actually takes you (it’s not the same as the text in the message), it’s a website hosted at “” This is a classic phishing-style URL. Like I said, I’ve never used Western Union, and I don’t know much about them. However, I know this much: they’re not based out of Poland (.pl).

I wonder what happens if you follow that link—does it try to steal personal information, or does it install malicious software (or both)? I sort of wish I had a junk computer to try it out on. I’d probably just enter rude words in all the “name” and “address” fields.

I’m sure this message has been received by thousands of people already. It’s trickier than the usual “verify your information” attempt, and I’m sure the success rate will be much higher, unfortunately.

As usual, though, there are lots of telltale signs that something isn’t quite right. When you get these messages, just take a moment to relax and think about it, and you’ll be fine.