Earlier this week on January 18, the US Federal Deposit Insurance Corporation (FDIC) issued its tenth special alert for 2011 (SA-10-2011). Its summary provides an excellent explanation for its motivation and the related warning it delivers to banks around the United States:
When such e-mails arrive in a users inbox, they give every appearance of originating from the FDIC itself. These fraudulent messages then go on to throw out the following claims to their readers:
If readers actually click the link to access the purported IDVerify system, they will be asked to divulge information related to personal identity, account access, and other sensitive or confidential data. It is also possible that accessing this system will cause malicious software to be downloaded to the users PC, where it can record keyboard activity and send what it learns (account names, passwords, and other information) to unauthorized third parties without notification or requests for permission.
Heres how the FDIC describes the phishing attack present in these messages:
Although the details and the institutions involved change from one phishing attack to the next, this particular case plucked from the most current FDIC Special Alert, describes nearly all phishing attacks in its use of an official body or trusted institution, delivery of surprising and disturbing news, and a call to action to remedy the cause of disturbance with a handy Web link right inside the reporting email message itself. As convenient as it may seem to click that link, both we and the FDIC agree and insist that it is something to be absolutely and resolutely avoided at all costs. The only way to escape being fished is not to bite at the hook, or when being phished not to click the link!
Stu Sjouwerman
E-mails fraudulently claiming to be from the FDIC are attempting to get recipients to click on a link, which may ask them to provide sensitive personal information. These e-mails falsely indicate that FDIC deposit insurance is suspended until the requested customer information is provided.
When such e-mails arrive in a users inbox, they give every appearance of originating from the FDIC itself. These fraudulent messages then go on to throw out the following claims to their readers:
- The FDIC is working in cooperation with the Department of Homeland Security, federal, state and local governments
- Working with these other groups, the FDIC has determined that account activity in violation of the Patriot Act requires it to terminate deposit insurance for that account
- It states that deposit insurance will remain suspended until identity and account information may be verified using a system named IDVerify
If readers actually click the link to access the purported IDVerify system, they will be asked to divulge information related to personal identity, account access, and other sensitive or confidential data. It is also possible that accessing this system will cause malicious software to be downloaded to the users PC, where it can record keyboard activity and send what it learns (account names, passwords, and other information) to unauthorized third parties without notification or requests for permission.
Heres how the FDIC describes the phishing attack present in these messages:
This e-mail is fraudulent. It was not sent by the FDIC. It is an attempt to obtain personal information from consumers. Financial institutions and consumers should NOT access the link provided within the body of the e-mail and should NOT under any circumstances provide any personal information through this media.
Although the details and the institutions involved change from one phishing attack to the next, this particular case plucked from the most current FDIC Special Alert, describes nearly all phishing attacks in its use of an official body or trusted institution, delivery of surprising and disturbing news, and a call to action to remedy the cause of disturbance with a handy Web link right inside the reporting email message itself. As convenient as it may seem to click that link, both we and the FDIC agree and insist that it is something to be absolutely and resolutely avoided at all costs. The only way to escape being fished is not to bite at the hook, or when being phished not to click the link!
Stu Sjouwerman
