Bridgeport-based People’s Bank was the latest target of a scam after fraudsters recently sent e-mails appearing to be from the bank to Connecticut residents that asked them to provide personal information.
But no People’s customers have contacted the bank to say they’ve fallen for the scheme. Bank executives say they believe that could be because of the education they have provided to their customers.
The scam – which is called “phishing” – is common and has happened to most of the country’s big financial institutions. Scammers send e-mails appearing to be legitimate messages from financial institutions to hundreds or thousands of addresses and hope to hit some of the institutions’ actual customers. The messages usually include a link to another Web page – which also appears legitimate – asking people to fill in personal information, such as passwords or bank account numbers.
The practice is increasingly common and the scammers don’t only target banks and credit card companies; Internet companies like eBay and PayPal also get hit regularly. According to the Anti-Phishing Working Group, a California-based coalition of companies affected by phishing, there were 2,854 active phishing sites reported in April. The average monthly growth rate of phishing sites from July 2004 through April of this year was 15 percent, with 79 brands hijacked by phishing campaigns in April.
Providence, R.I.-based Citizens Bank, which has branches in Connecticut, was hit by phishers that month. According to the Anti-Phishing Working Group, a fraudster sent e-mails asking people to click on a link and fill out a customer survey. The link asked people to answer some questions, then to fill in the number of their ATM/debit card, along with the personal identification number.
‘The First Flag’
Phishing reports have made it into the media with increasing frequency, and many financial institutions provide education for their customers. At People’s, customers have access to brochures on phishing in the bank’s branches and information on the bank’s Web site.
The People’s brochures specifically explain that a bank would never ask for a customer’s personal information over the Internet.
“That should be the first flag to tell someone that there’s something wrong with the message,” said Brent Digiorgio, a spokesman for People’s.
People’s also runs a statewide program called Triad. Senior citizens are often more likely to fall victim to scams like the one that hit People’s, so the bank teams up with local law enforcement and senior citizens’ organization to educate seniors about such scams.
And bank executives believe the education has worked. After receiving word that a phisher had targeted People’s Bank customers, the bank started to monitor its call center to see if there were any complaints or claims. So far, there have been none, Digiorgio said.
“I think so many people are aware of this phenomenon now that they’re exceedingly cautious,” he said.
When the People’s Bank customers were targeted by the phishers earlier this month, the state Department of Banking quickly sent out an alert.
“It has recently come to my attention that Connecticut residents have received e-mails that appear to be from People’s Bank requesting personal financial information,” said Banking Commissioner John P. Burke in a prepared statement. “These e-mails are, in fact, scams. I cannot stress enough that financial institutions would never ask you to provide such personal information over the Internet.”
According to the banking department, the e-mails targeted clients of People’s Bank and indicated that, for security purposes, the profile the customers were using to access online banking was locked. To unlock their profile, the customers were asked to provide personal information, including ATM or Visa Check Card numbers, PINs and Social Security numbers.
The e-mail address and the design and graphics on the Web site seemed genuine, according to the department.
“However, be skeptical of any unsolicited e-mail which asks you to provide your personal account information, and contact your financial institution at once,” Burke said.
The Department of Banking was the first to find out about the People’s scam, and it notified the bank. People’s has been working with the Federal Bureau of Investigation and the Secret Service to stop the messages, Digiorgio said.
After the attack, People’s posted a note about it on the bank’s Web site, along with the address to a Web site that would tell people whether a site was really from People’s.
“Phishing” attacks are so named because the senders are “fishing” for recipients’ personal information. The substitution of “ph” for “f” is said to be a nod to an early form of hacking known as “phreaking,” according to the Anti-Phishing Working Group.