New Trends in Spam/Phishing Tug Right at Your Purse Strings
Everybody (we hope) knows not to click on links, or download attachments from unsolicited emails. No matter how cheap the Cialis/Viagra is, or how much those Russian brides-in-waiting want to talk to you, DO NOT CLICK THAT LINK. Before getting into the new round of communications being sent, let’s start with a brief review of the last few years.
Beyond obvious spam attacks, recent years have seen the rise of much more clever phishing attacks.
A phishing email will often pose as a company or institution that you would trust. It seems this institution is having a problem and needs your assistance in resolving it. Ironically, these problems are often something along the lines of, “We’ve detected potentially fraudulent activity and need you to change your password (or verify your identity), please click here.” In order to resolve this “issue,” they’ll inevitably need something from you, like your account number, or a username and password.
A wise consumer should know that, if your bank detects fraudulent activity, they don’t email you asking for these things. They would most likely call you (phone phishing and social engineering is a whole other can of worms). If you ever believe something is actually wrong, your best bet is to call them… and not at the number listed in the email, but rather the one listed on your statements.
So, none of this should be news to anyone. What I’m actually writing about today is the new trend in phishing emails - reporting cancelled/failed ACH transactions.
What’s an ACH transaction, you ask? Well, how many of you out there have bill payments that automatically draft from your checking account? Or, online payments through your bank’s website? How about direct deposit? Come on, let me see a show of hands… (If you just raised your hand, I also have a bridge for sale that you just may be interested in).
All of those direct-debit payments are transactions made through the Automated Clearing House, or ACH. The ACH is governed by the National Automated Clearing House Association, or NACHA, and the Federal Reserve.
These new phishing emails masquerade as the NACHA and are supposedly reporting to the consumer that one of these transactions has failed. In actuality, the NACHA doesn’t even handle these transactions, but rather governs their use. The NACHA has released a statement, warning people that they are not issuing these emails, and even asking you to forward them to the NACHA:
These fraudulent emails typically make reference to an ACH transfer, payment, or transaction and contain a link or attachment that infects the computer with malicious code when clicked on by the email recipient. The contents of these fraudulent emails vary, with more recent examples including a counterfeit NACHA logo and the citation of NACHA’s physical mailing address and telephone number.
For more info, the bulletin also refers you to the FDIC’s information page on phishing. That site also features some “edutainment” videos from onguardonline.gov. Worth a watch, even if just to laugh and point.
This ACH transaction email is yet another in a stream of increasingly creative tactics being employed to get you to do something ill-advised. If you really want to make someone click a link, making them think their paycheck wasn’t deposited, or their utility bill wasn’t paid, or that payment from their company’s big client failed, may put them in a state of panic. In that state, a user may weigh their options quickly and decide it’s worth the risk to click the evil link.
What does the link really do? I don’t know and I don’t want to. Some of the emails I’ve observed link to an EXE that they call a “self-extracting PDF file.” Others have PDFs or images attached. I’m not touching them with a 10-foot pole. As directed by the NACHA’s announcement, neither should you. Caution your employees, co-workers and customers that these emails are not genuine. They are not missing a paycheck, and they are not going to have their car repossessed for missing a payment. Then again, I don’t know who you work with, so maybe they will… but it won’t be because of what the bogus email reports.
Moral of the story, Internet vigilance is always your best defense. Never click links or open attachments from unsolicited emails. If you’re ever in doubt, call the institution that holds your account. A moment of reflection can save weeks, months, even years of aggravation that you may otherwise have to endure if your identity gets stolen.
Morgan Tremper submitted this to 