Credit union tech time: Don’t get spoofed

Securityplus Federal Credit Union was recently targeted by what seemed to be a fairly intricate “spoofing” scheme. Spoofing occurs when an intruder attempts to gain unauthorized access to a user’s system or information by pretending to be the user. Our spoofing incident led to a request for $14,500 to be wired to a person at another financial institution.

The technology involved wasn’t overly sophisticated; however the highly targeted nature of the fraud attempt was unusual. Our controller, who handles wire transfers, was sent what looked to be an email from me. My email address came through our Outlook platform exactly as a legitimate email from a staff member would appear. The email was sent on a Friday at about 12:45 p.m. and, interestingly, I was at an outside meeting at the time. The email was disguised as being sent from a mobile device and used high pressure language to get our staff person to act quickly to transmit the $14,500 via wire. Fortunately, she checked with me and the funds were never sent.

There were red flags with language and grammar and, frankly, the communication wasn’t written in my voice. Although this type of thing happens all the time, the unique aspect of this was the fact that fraudsters ran a program to make the email look exactly like it came from inside our organization. Plus, the fraudsters used my email address and the email was sent directly to the person I would contact to handle a wire.

continue reading »