NCUA / TJ Max Breach

CUNA Mutual alerts credit unions of this risk. Please pass this information on to all appropriate employees. If your credit union has experienced a loss, contact our Credit Union Protection Response Center at 1-800-637-2676.

Details:

A recent phishing e-mail appearing to be from the National Credit Union Administration (NCUA), is targeting consumers', and their fear of security relating to the recent TJX Companies data breach. The false e-mail discusses the TJX Companies data breach, which was made public in January. The breach incidents spanned periods from 2003 through 2006. The phish e-mail gives the wrong dates for the breach and says Visa notified NCUA in January about the breach.

The notice warns that "magnetic strip information was being stored and your PIN may have been captured" and "strongly" urges NCUA's "members" to update their information within the next 48 hours.

This false e-mail asked for the recipient to click on a link to verify their credit union account registration. If the recipient proceeded to do so, the link directed them to a false website and asked for their credit union account number and PIN, along with other personal information.

If you responded to such an e-mail and provided any confidential account information, please notify your credit union immediately of the scheme. You should also change your account’s PIN, and take any additional action recommended by your credit union to protect your account.

Loss Prevention Recommendations:

If you receive an unsolicited email alleging to be from the NCUA, take the following steps:

• Remind your members that NCUA does not ask credit union members for personal account information.
• Anyone who has received a fraudulent phishing e-mail purportedly from NCUA should forward the entire e-mail message to Phishing@ncua.gov.
• Do not open any attachments to the e-mail, in case they contain malicious code that will infect your computer.
• If you have received this, or a similar hoax, please file a complaint at www.ic3.gov.
• Educate your membership on "Phishing."
• Post phishing warnings on your web site, in newsletters, and in your lobby.
• Post a warning on your credit union's web site that you will never solicit personal/private information via e-mail.
• Use the FTC (Federal Trade Commission) web site, www.onguardonline.gov.
• Consumers can take interactive quizzes designed to enlighten them about identity theft, phishing, spam and online-shopping scams.
• Elsewhere on the site, consumers can find detailed guidance on how to monitor their credit histories, use effective passwords and recover from identity theft.
• If members are victims of a "phishing email," take appropriate steps to help protect them.
• Block and reissue the compromised credit/debit cards
• Report to credit bureau
• Order credit report
• A good resource for this topic is Anti-Phishing Working Group at http://www.antiphishing.org
• If you have been victimized by a spoofed e-mail or web site, you should contact your local law enforcement, US Postal Inspector, or FBI.