The state’s banking commissioner put consumers on the alert last week after learning of an e-mail scam targeting Portland, Maine-based Banknorth Group when a Connecticut Department of Banking employee received one of the e-mails on Jan. 31.
The e-mail is typical of phishing, a type of scam that uses spam e-mail to “fish” for consumers’ personal information, such as account numbers or Social Security numbers. The e-mail typically is sent to many people in hopes of reaching some who actually bank with the institution named in the message – in this case, Banknorth.
The latest scam targeting Banknorth customers appeared as a genuine-looking notice from the bank, offering a new program called PrivacyGuard Identity Theft Protection and asking customers to click a link to reactivate their accounts, according to the Connecticut Department of Banking.
“This is when the warning bells should sound,” said Banking Commissioner John P. Burke in a prepared statement. “Banks or other financial institutions do not ask their customers to provide personal account information over the Internet. If you are a Banknorth customer and have received an e-mail requesting that you reactivate your account, be aware that it is a scam. Do not click on the link provided and do not supply your personal information.”
Banknorth has been the target of several e-mail scams, according to spokesman Jeff Nathanson.
“I would say it’s happening with increasing frequency,” he said.
‘Continuous Education’
The increasing prevalence of e-mail and electronic communication has meant more phishing scams, according to the banking commissioner.
“Unfortunately, these types of e-mail scams have become more frequent as e-mail usage has increased,” Burke said. “The high-tech scammer is savvy in creating e-mails with links to what appear to be genuine Web sites, but instead are fraudulent sites that aim to steal personal information.”
The number of active phishing Web sites has grown by about 24 percent each month since July, according to the Anti-Phishing Working Group, a California-based coalition of companies affected by phishing. About 1,700 such sites were reported in December.
National banks, like Washington Mutual and Citibank, are often the targets of phishing attacks.
Nathanson said during an interview that he wasn’t sure how Banknorth found out about the latest scam. But in the past, he noted, the bank has found out about scams when customers call to see if such an e-mail is legitimate.
“It never is,” Nathanson said.
The Connecticut Department of Banking has received three complaints about phishing since Jan. 1, according to spokeswoman Kathleen Doolan.
Banknorth, like many others, relies on continuing education to help prevent their customers from becoming victims of phishing, which can lead to identity theft. Because phishing is now so common, it would be impossible to warn customers of each individual scam.
“Our approach is one of continuous education,” Nathanson said.
As a result, Banknorth has a link on its Web site directing customers to information about the latest scam and telling them that “under no circumstances will Banknorth ever ask for your account number, PIN, password or any other personal information via e-mail.”
There is also a link to general information about identity theft and fraudulent e-mails. The site contains 10 steps that customers can take to protect themselves, including never providing their personal identification numbers or other personal information in response to an unsolicited request, opting out of pre-approved applications from credit card companies and shredding mail or financial papers that contain personal information.
Banknorth last year also sent mailers to customers with checking account statements informing them of phishing. In addition, it keeps brochures about the subject in its branches.
“The message is always the same,” Nathanson said.
The best way to avoid having personal information stolen is to delete the message, he said.
Waterbury-based Webster Bank has a similar strategy. Last August, the bank sent out physical copies of its guide to protect customers against identity theft. Now, the entire guide is on its Web site.
“[Webster’s] strategy is to make sure customers are aware,” said spokeswoman Meghan Thompson.
When customers log onto Webster’s site, a logo pops up reminding them that Webster won’t ask for personal information like account numbers, user names, passwords or PINs. The identity theft guide also gives tips to avoid becoming the victim of fraudulent e-mails; for instance, customers are instructed to type in Web site addresses themselves and not to click on links in e-mail messages. Those could be disguised as legitimate Web site addresses even though they are not, according to the site.
“We’ve monitored the situation very closely since it became an issue,” Thompson said.
The Department of Banking also sends out warnings to the state’s bank customers. The department sends information or issues a press release every few months, even if no new phishing scams have come to light, Doolan said.
The department also has a Web site dedicated to informing consumers about phishing. The site defines phishing and offers similar advice to that on the banks’ Web sites. The department also advises customers to closely review credit card and bank statements as soon as they are received to make sure there are no unauthorized charges. Additionally, it recommends that banking consumers use up-to-date antivirus software, because some phishing e-mails contain software that can harm computers.
Banknorth is now working with federal authorities to stop the latest spammer. Entities like the Federal Trade Commission work with the Internet service provider that hosted the e-mailer to shut down the Web site.