SFCU Scams: What Can We Learn By Looking at a Continuing Trend of Localized Phishing?

Back in November of last year, we shared the news that Sidney Federal Credit Union members were being targeted by a phishing attack, and we have evidence that such phishing attacks have continued. As such, let’s review how phishing like this works and (more importantly) how to prevent it from working.

Disclaimer: The following threat isn't Sidney Federal Credit Union's fault, and the local credit union has taken steps to raise awareness to the problem on their website to help their members. Virtually any members of any bank could be targetted by this type of scam; this isn't a reflection on SFCU, but instead it's just showing you how tricky these scammers can get.

To begin, we’ll examine the situation as it is playing out now, which is very similar to how it played out half a year ago.

Just as Before, Fraudulent Text Alerts are Being Used to Spread Malicious Links

Let’s consider the following message:

Similarly to the last time we touched on SFCU’s phishing problem, the message follows a simple strategy: share alarming, but incomplete, “news” with the intended scam victim with the promise of more details on the other side of a link. However, this link is not the official Sidney Federal Credit Union website, which can actually be found at sfcuonline.org.

Likewise, once you visit SFCU’s actual website, they have once again posted a reminder telling their visitors to keep an eye out for these kinds of scams.

Using These Tactics, Cybercriminals Can Steal Banking Credentials (or Any Information They Want)

It’s classic misdirection: give you something to worry about so you are too distracted to think about the alternative explanation—in this case, that someone is trying to take advantage of you.

Think about it for a moment…how do you think you would react if you got a text message, apparently from your bank or credit union, informing you that a transaction that you never approved for a few hundred dollars had suddenly been withdrawn from your account? After the initial shock, you’d probably assume there was some error or misunderstanding that you needed to clear up, and wouldn’t you know it, there’s a link to reach out right there.

Unfortunately, this is precisely what the person or organization responsible is counting on.

By distracting you by alerting you to some urgent issue, they are able to manipulate you into doing precisely what they want you to do. They’ll provide a link that looks close enough to an actual link to a bank to fool someone into clicking through, they’ll attach that link to a website that mimics a bank so they can steal your login credentials, they’ll attempt to phish as many people as possible, they’ll use the stolen credentials to lock the legitimate users out of their accounts and drain them.

The situation is, simply put, severe… and while banks and credit unions commonly feature pretty comprehensive protections to keep their members financially safe, it becomes much harder to do if a scammer’s activity all looks legitimate.

What Can Be Done to Protect Your Bank Account, as Well as All of Your Other Accounts?

There are many steps and best practices that you should put in place to more effectively secure any of your online accounts. Let’s run through them:

Use Secure and Unique Passwords, Exclusively

This is perhaps the most essential security rule we have to offer, simply because so many passwords that have been breached have featured personal information.

• Details of a personal nature, like a pet’s name, your own date of birth, or a mother’s maiden name should not be used as passwords.
• When it comes to your passwords, the longer, the better. A good starting point is from 12 to 16 characters, but if you can, don’t hesitate to make them longer.
• Your passwords should utilize a combination of letters, numbers, and symbols.
• Each account needs to have a unique password that is only used for that account.
• Passwords should be updated periodically, especially when there is evidence that your account may have been compromised.

Protect Your Accounts with Multi-Factor Authentication

We’ll let you in on a secret: passwords really aren’t that effective as a security measure…just consider how often passwords are stolen and used to breach accounts. Supplementing them with additional identity authentication—a practice known as multi-factor authentication—is a great way to boost their security significantly. Many websites and services offer it, and we recommend that you check all of your accounts to confirm that you have it enabled wherever it is an option. 

We also recommend that you utilize a dedicated authentication application, as it is a more secure option than the other methods. This is not to say that you shouldn’t use the other options if an app isn’t an option, we just mean to say that if given the choice, the app is your best bet.

Remain Vigilant

Phishing attacks often come in the form of text messages and emails, frequently framed with some level of urgency. Don’t be afraid to question the communications you receive.

Avoid Unexpected Links in These Messages

In a way, it’s an understandable urge…links are meant to be clicked, so it’s only natural that you would trust a link that you receive in an email or text. We urge you to resist the temptation to do so, and to instead navigate to the provided website separately and log in that way.

For instance, should you get a text that supposedly comes from SFCU, you should open your browser and log into your account—without touching any provided links—to confirm the information that the email is sharing with you. Regardless of what a message provides you with, it is safer to defer to official channels to reach out.

Watch Out for Fraudulent Links

On the subject of links, you should always keep it in the back of your mind that links can easily be manipulated to trick you into exposing your own data.

In the case of Sidney Federal Credit Union, all links will direct to sfcuonline.com, with anything appearing between “sfcuonline” and “.com” giving you immediate red flags. “.com” should also be followed up with a “/”, without exception—”sfcuonline.com.mailru348.co/notascam” would be a spoofed link.

Here’s a brief list of other issues that can be spotted in a URL:

• sfcuonline.com - Safe.
• sfcuonline.com/contact - Safe. Only SFCU could have generated this URL.
• business.sfcuonline.com - Safe. Only SFCU could have generated this URL.
• business.sfcuonline.com/retail - Safe. Only SFCU could have generated this URL.
• sfcuonline.com.activatecard.net - Suspicious! Notice the dot immediately after SFCU’s domain name.
• sfcuonline.com.activatecard.net/secure - Suspicious! Again, there is a dot after the domain.
• sfcuonline.com/activatecard/tinyurl.com/retail - Suspicious! Once again, don’t trust dots after the domain!
• sfcudigital.com - Suspicious! It’s not even the right URL!

Some Simple Cybersecurity Awareness Can Go a Long Way

Whether you’re talking about your personal finances or your business’ cybersecurity, exercising caution will ultimately pay you dividends. We can help in terms of your business, assisting you and your team in integrating security into your business’ everyday processes. To learn more, give us a call at 607.433.2200.