News & Events
Scam Alert -Phishing
Broadcast on NBC
|
TIBBLES: That's exactly what one company, Numerica Credit
Union in Spokane, Washington, is trying to do.
Mr. KELLEY FERGUSON (Assistant VP, Numerica Credit Union):
Going proactive for Numerica means educating our members
and not having to be reactive to these types of scams.
TIBBLES: It's just another day in the office for Jim, but
his assignment is anything but ordinary. He is conducting
an unscientific experiment to see if customers are savvy to
this common scam.
Mr. STICKLEY: Phishing is when somebody's requesting
information from you and that either your name and your
password or some other confidential information, and
they're generally doing it under the guise of being
something you trust or already have a relationship with,
like your bank, something like that.
TIBBLES: They don't call it phishing for nothing, and what
the thieves are trying to reel in is your identity and all
the vital information that goes along with it, including
your bank account.
The test was simple. Numerica provided TraceSecurity with
10 customers that are friends or family of employees. Jim
then drafted a letter asking for verification of their
account, claiming Numerica is following new security
precautions.
Mr. FERGUSON: They formulated what looked to be very valid
type of letterhead, although it did not match our
letterhead, but it looked real enough and good enough that
it could have came from any financial institution.
Mr. STICKLEY: We're asking for Social Security number,
driver's license number, name, address, mother's maiden
name, I mean everything that makes you who you are and
validates who you are is information that we're asking for.
TIBBLES: He created a fictitious Web site, almost exactly
like Numerica's actual site with only a slightly different
Web address and an additional link called account
verification.
Mr. STICKLEY: If people give this information, I mean we
can ruin their lives, or at least make it extremely
miserable.
Mr. FERGUSON: Best case scenario is nobody responds,
everyone comes into Numerica, lets us know that, 'Hey,
we're being phished.'
TIBBLES: But the next day a response form was sent in, a
customer revealing her Social Security number, address,
even her bank account number.
Unidentified Woman (Numerica Customer): Well, I went to
Numerica's Web site first and the place where I was
supposed to fill it out at was not there, and so I re-read
the letter and it said to go to a different Web site, but
it was enough like Numerica's Web site that I thought,
'Well, they must have set this up for something special,'
so I filled out the information. They would have
everything. I mean they could be me.
TIBBLES: Of the 10 letters sent out, three Numerica
customers were suspicious of the letter and did report it.
The other six did not respond, but even one victim like
Kelly is enough to make a crook's efforts worth while.
Mr. FERGUSON: You can do such a mass distribution of these
types of scams so quickly. Even 1 percent success rate
could mean all kinds of profits for the scammers.
Unidentified Woman: It can happen to you, and it probably
will happen to you because I grew up in an age where I'm
very trusting of people, and so even in this day and age I
still find myself being trusting.
TIBBLES: For TODAY, Kevin Tibbles, NBC News, Chicago.
LAUER: Jim Stickley from Trace Security has more on what
to do and what to watch out for.
Hey, Jim, good morning. Let me just start by saying you
had your identity stolen six years ago.
Mr. STICKLEY: I did. I did. I had somebody create a
phony account underneath my particular ID and they charged
it up and went crazy on it and, of course, never paid it
off.
LAUER: When we talk about these Web sites or phone calls
or letters that ask for personal information, the rule is a
bank will never, ever--or credit card company--ask for
that, correct?
Mr. STICKLEY: Yeah. If they're sending out a letter to
you, a bank should never ask for the types of things that
we were asking for. There is a situation, I mean, for
example, you get those pre-approved credit card statements
in the mail, in those cases they may ask for some
confidential information and that's kind of what makes it
so difficult.
LAUER: If you're suspicious, get an email, looks official,
if you get a letter, it looks official and you're
suspicious, isn't the best rule always err on the side of
caution and either don't respond or call the bank?
Mr. STICKLEY: Yeah. And I mean, I prefer call the bank.
Let them know you received this because you're not going to
upset them. If it's real, they're going to say it's real
and you're going to be happy. If it's not, you're letting
them know so they in turn can let a lot of other people
know and stop it from really propagating out.
LAUER: We looked at that Web site that you created, what's
the best way for a consumer to look at a Web site and get
the hint as to whether it's real or not real?
Mr. STICKLEY: Oh God. I mean first thing look and make
sure it's got the little security certificate, which is
https in the upper left-hand side, the little lock in the
bottom corner, that's a good sign that you're on the right
page. Not a hundred percent. Also, the actual domain name
you went to, in this case it was Numerica's, you can look
at your ATM card and almost always they're going to have
what their domain is, www.xyz or whatever.
LAUER: And if it's even slightly different?
Mr. STICKLEY: Don't go there.
LAUER: All right. And by the way, talk about the
average--this is a statistic that was starling me, the
average person who has an identity stolen, it takes 600
hours to sort things out.
Mr. STICKLEY: Yeah, it's a long time. It took me over two
years to get mine cleaned up.
LAUER: So better safe than sorry.
Mr. STICKLEY: Absolutely.
LAUER: Don't respond. Jim Stickley, thanks so much.
Mr. STICKLEY: Thank you.