E-mail phishing aimed at banking customers

  • Published
Customers of the DOD Community Bank and other institutions providing financial services to Department of Defense military and civilian personnel were recently targeted with e-mail phishing campaigns which attempted to gather personal and account information.

The e-mail presented itself as originating from the "Military Bank of America" and asked recipients to click a link to update their account information because of an update of Web site features.

According to Bank of America officials, the e-mail was fraudulent and the site has been shut down.

"Alert customers reported this e-mail to the bank and another fraudulent site is closed for business," said Pat Shine, Defense Finance and Accounting Service deputy director for operations. "But these phishing campaigns continue to be a concern and as soon as one fraudulent site is closed, the phishers have opened a new one. From our own online services, such as myPay, to the services offered by our contractors, security of customer personal and account information is our highest priority. This latest attempt to lure customers to give up this information is a great reminder that security is everyone's responsibility.

"Remember, legitimate businesses will not send you an e-mail asking you to go to a Web site to confirm or update account information. When you receive an e-mail like this, delete it," said Mr. Shine. "You are not being specifically targeted. The suspects spam this e-mail message to a large number of e-mail accounts in an attempt to convince unsuspecting victims to respond."

Mr. Shine urged all customers to read and practice the following precautions on fraud prevention:

1. Does the e-mail ask you to go to a Web site and verify personal information? Legitimate businesses will not ask you to verify your personal information in response to an e-mail.

2. What is the tone of the mail? Most phish e-mails convey a sense of urgency by threatening discontinued service or information loss if you do not take immediate action.

3. What is the quality of the e-mail? Many phish e-mails have misspellings, bad grammar or poor punctuation.

4. Are the links in the e-mail valid? Deceptive links in phishing e-mails look like they are to a valid site, but deliver you to a fraudulent one. Many times you can see if the link is legitimate by just moving your mouse over the link.

5. Is the e-mail personalized with your name and applicable account information? Many phish e-mails use generic salutations and generic information (e.g., "Dear Customer" or "Dear Account Holder") instead of your name.

6. What is the sender's e-mail address? Many phish e-mails come from a personal e-mail address, not from the company represented in the e-mail.

7. When in doubt, type it out. If you suspect an e-mail to be phishing, do not click on any links in the e-mail. Type the valid address directly into your Web browser.

"You should never give anyone your user IDs or passwords," Mr. Shine said. "In fact, anyone having suspicions that an e-mail message may not be 'quite right' should contact DFAS if it is about one of our services, or the appropriate commercial business immediately. Only by working together can we make sure information stays as safe and secure as possible." (Courtesy of DFAS)