Target Data Breach “Black Friday”
Information below regarding this data breach:
Was my card included in the Target compromise I heard on the news?
We have issued a new card to to members who may have had their cards compromised.
Should I go ahead and block my card now?
Be aware that the block will be effective immediately. It will take about a week to 10 days for you to receive a new card. It may be more convenient for you to keep your card active and keep checking your CPCU account on eBranch for fraudulent charges. Call us if you spot suspicious activity.
When did the Target Data Breach happen?
Members who shopped at Target between November 27 and December 15 should check their statements for unusual activity and notify CPCU if they suspect fraudulent charges.
Am I liable for fraudulent charges?
No. You will have $0 liability for any potential fraudulent charges that may be attempted on your Visa Debit Card or Visa Credit Card. CPCU will also continue to watch your debit and credit transactions and will contact you if we spot a questionable transaction.
Please contact a CPCU employee at your local branch office or call the CPCU toll-free number 800.865.0445 if you see anything of concern on your account.
Target has also advised their customers to check their statements carefully. In their official statement they asked that those customers who see suspicious charges should report them to their credit union/bank or credit card company and call Target at 866-852-8680 to report it.
Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian’s® ProtectMyID®. To receive an activation code for this service, go to www.creditmonitoring.target.com
CPCU does NOT TEXT members with account information nor about Account Closures. Please do not click on the link or call the phone number included in these suspicious texts should you receive one. Feel free to call your local branch if you are concerned about any TEXT messages you may receive pretending to be from CPCU.
"Avoiding getting trapped by a text message scam is possible by following some simple advice. First, people should always remember that financial institutions do not ask for personal information in emails or text messages. Second, they should always check the apparent sender identity — many times, the false text messages are directed at a wide range of people who live in the region of a financial institution, and many consumers receive a notice of account closing from a bank at which the receiver has never had an account. Third, individuals should never contact a financial institution using a link or phone number in an SMS message or email; instead, they should find the contact information published on the bankcard or in the phone book. Fourth, news sources and cell phone carriers are often quick to publish reports of scams when they hit, so keeping an eye out can help people recognize scams and ignore such messages."
For the full article go to: http://www.wisegeek.org/what-is-a-text-message-scam.htm
Carolina Postal Credit Union is committed to protecting your accounts and your personal information. Occasionally, we receive safety and security tips that go beyond having an account at CPCU. On this page, you will find various topics that are about protecting you - our member.
Federal Financial Institutions Examination Council (FFIEC)
Online Security Guide
If you use online banking, mobile banking, or other internet banking services as a consumer or as a business, you will be interested to know that six federal financial industry regulators have recently teamed up to make all of your personal and business accounts more secure. New supervisory guidance from the Federal Financial Institutions Examination Council (FFIEC) will help credit unions (and banks) strengthen their vigilance to assure that your accounts are properly secured and to make virtually all types of online transactions safer and more secure.
Consumer Guidance: Account Authentication & Online Banking
Multi-factor authentication and layered security are helping assure safe internet transactions for financial institutions and their members/customers.
Business Guidance: Risk Assessment & Layered Security
New financial standards help credit unions, banks and business account holders make online banking safer and more secure from account hijacking and unauthorized funds transfers.
Internal Assessments at Carolina Postal Credit Union
The new supervisory guidance offers ways we can look for anomalies that could indicate fraud. Carolina Postal Credit Union has conducted a comprehensive risk-assessment of its current methods with regards to the following:
- changes in the internal and external threat environment
- changes in the customer base adopting electronic banking
- changes in the customer functionality offered through electronic banking, and
- actual incidents of security breaches, identity theft, or fraud experienced by others in the financial services industry.
Whenever an increased risk to your transaction security may warrant it, Carolina Postal Credit Union will be able to conduct additional verification procedures or layers of control such as:
- utilizing call back (voice) verification, email approval, or cell phone based identification
- employing member verification procedures
- analyzing banking transactions to identify suspicious patterns
- establishing dollar limits that require manual intervention to exceed a preset limit
Your Protections Under “Reg E”
Financial institutions are required to follow specific rules issued by the Federal Reserve Board, known as Regulation E, for electronic transactions. Reg E covers all kinds of situations revolving around transfers made electronically. Under the consumer protections provided under Reg E, you can recover internet banking losses according to how soon you detect and report them.
What the Federal Rules of Reg E require:
If you report the losses within two (2) days of receiving your statement, you can be liable for the first $50. After two (2) days, the amount you can be liable for increases to $500. After sixty (60) days, you could be liable for the full amount. Details of your rights are included on each account statement.
Knowing how fraudsters may try to trick you and understanding the risks is critical to safe online banking. You can take further steps to protect yourself and make your computer safer by installing and regularly updating:
- anti-virus software
- anti-malware programs
- firewalls on your computer
- operating system patches and updates
Additional steps include:
- create strong complex passwords that contain both CAPITAL and small letters, numbers and any allowed special characters
- if you think you may have visited a website with malware or if you think your computer may be infected with a virus, do not access your online banking or other sensitive logins until you have scanned your computer and know it is is clean and virus free
Understand the Risks
FFIEC studies show significant increase in cyber threats. Not only do fraudsters continue to deploy more sophisticated methods to compromise security measures, they now manufacture computer hacking kits to sell illegally to less experienced fraudsters.
Corporate Account Takeover (CAT)
Corporate Account Takeovers have increased every year, representing losses of hundreds of millions of dollars. When a Corporate Account Takeover (CAT) occurs, legitimate login credentials are stolen by computer hackers, and fraudulent transfers (ACH or Wire Transers) are completed before the business account owner knows what happened.
Layered Security for Increased Safety
Layered security is characterized by the use of different controls at different points in a transaction process, so that a weakness in one control area is compensated by a strength in another control area.
Layered security can substantially strengthen the overall security of online transactions by protecting sensitive customer information, preventing identity theft, and reducing account takeovers with their resulting financial losses.
Added layers of security allow your bank to authenticate customers and detect and respond to suspicious activity related to initial login and then reconfirm this authentication when further transactions involve transfers of funds or higher risk actions.
Examples of Layered Security for Businesses
For business accounts, layered security can include enhanced controls for system administrators who are granted privileges to set up or change system configurations, and control access privileges and application functions or limitations for their own staff and users. Added layers can include:
- fraud detection and monitoring systems that include consideration of your transaction history and behavior
- dual customer authorization through different access devices
- out-of-band verifications for certain transactions
- “Positive Pay” debit blocks or other techniques that limit transactions
- transaction value thresholds that restrict the number or amount of transactions for a set time frame
- Internet Protocol (IP) reputation-based tools
- policies and procedures for addressing customer devices that have been potentially compromised, or for detecting customers who may be facilitating fraud
- account maintenance controls over activities performed online or through customer service channels.
Recommendations for Business Accounts
- conduct periodic assessments of internal controls
- use layered security for system administrators
- initiate enhanced controls over high-dollar transactions
- provide increased levels of security as transaction risk increase
If You Have Suspicions
If you notice suspicious activity within your account or experience a security related event (such as a compromised PIN or Password, known or suspected infection of computer or network by viruses or malware, etc) please contact us immediately, and you will be directed to credit union employee who can assist you with these matters.
Information Regarding Cyber Attack at SOUTH CAROLINA Department of Revenue:
The SOUTH CAROLINA Department of Revenue announced on October 26, 2012 that approximately 3.6 million SOUTH Carolina Social Security numbers and 387,000 credit and debit card numbers have been exposed in a cyber attack.
Anyone who has filed a SOUTH Carolina tax return since 1998 is urged to take the following steps:
1. Call 1-866-578-5422 where you will enroll in a consumer protection service.
2. Then you will determine if you wish to have an online or US Mail alert mechanism.
3. For the online service, visit www.protectmyid.com/scdor.
For the US Mail service, you will receive notifications via the US mail.
The OFFICIAL website for the SOUTH CAROLINA Department of Revenue is http://www.sctax.org/security.htm
Please continue to check the official SC DoR site for updates.
ALERT - new SCAM claiming that President Obama will pay your utility bills through a new federal program!!! NOT TRUE
Never provide your social security number, credit card number, credit union account numbers or banking information to anyone who calls you, regardless of whom they claim to be representing.
If you receive a call claiming to be your utility company and feel pressured for immediate payment or personal information, hang up the phone and call the customer service number on your utility bill.
For more information go to: http://charlotte.bbb.org/article/bbb-warns-new-scam-claims-president-obama-will-pay-your-utility-bills-35130
DEBIT CARD SCAM ALERT: A current scam in our area consists of members receiving an automatic phone call telling them that their Debit Card has been "De-activated". It then asks that they call a phone number and give their debit card number and other personal financial information. If you received one of these calls and did NOTHING you are fine. If you received one of these calls and returned it leaving your personal information please contact us immediately! For more information click here.
ALERT: SMiShing Attempts Take Aim at Credit Union Members Nationwide
A SMiShing* scam targeting credit union members nationwide tells recipients their credit or debit card has been locked or deactivated and instructs them to call a phone number. The text message falsely claims to be from a credit union. All of the text messages include the first four digits of the named credit union’s debit card BIN, and a phone number to call.
If you receive such a message, do not call the number or reply to the text. Never give out your personal information in response to an e-mail or text. If issues ever arise relating to your debit or credit card — or if you have concerns about your card status — call only the number(s) listed on the back of your card OR call CPCU immediately.
*What is SMiShing? (from Wikipedia.com)
In computing, Smishing is a form of criminal activity using social engineering techniques similar to phishing. The name is derived from "SMs phISHING". SMS (Short Message Service) is the technology used for text messages on cell phones.
Similar to phishing, smishing uses cell phone text messages to deliver the "bait" to get you to divulge your personal information. The "hook" (the method used to actually "capture" your information) in the text message may be a web site URL, however it has become more common to see a phone number that connects to automated voice response system.
This is an example of a (complete) smishing message in current circulation: "Notice - this is an automated message from (a local credit union), your ATM card has been suspended. To reactivate call urgent at 866-###-####."
In many cases, the smishing message will show that it came from "5000" instead of displaying an actual phone number. This usually indicates the SMS message was sent via email to the cell phone, and not sent from another cell phone.
This information is then used to create duplicate credit/debit/ATM cards. There are documented cases where information entered on a fraudulent web site (used in a phishing, smishing, or vishing attack) was used to create a credit or debit card that was used halfway around the world, within 30 minutes.
FAKE Postal Money Orders
There has been a increase lately in fake Postal Money Orders - especially when purchasing or selling items through the internet. To verify a postal money order, call the Money Order Verification System at 1-866-459-7822. If you suspect fraud, call the U.S. Postal Inspection Service at 1-877-876-2455 (select option 4). For more tips on Postal Money Orders click here.
Beware Fraudulent Emails
The subject line of the e-mail states: “Unauthorized ACH Transaction.” The e-mail includes a link that redirects the individual to a fake Web page and contains a link which is almost certainly an executable virus with malware. Do not click on the link. Both the e-mail and the related website are fraudulent.
Be aware that phishing e-mails frequently have links to Web pages that host malicious code and software. Do not follow Web links in unsolicited e-mails from unknown parties or from parties with whom you do not normally communicate, or that appear to be known but are suspicious or otherwise unusual.
If malicious code is detected or suspected on a computer, consult with a computer security or anti-virus specialist to remove malicious code or re-install a clean image of the computer system. Always use anti-virus software and ensure that the virus signatures are automatically updated.
Ensure that the computer operating systems and common software applications security patches are installed and current.
Be alert for different variations of fraudulent e-mails.
= = = = = Sample E-mail = = = = = =
Sent: Thursday, July 22, 2010 8:27 AM
To: Doe, John
Subject: Unauthorized ACH Transaction
Dear bank account holder,
The ACH transaction, recently initiated from your bank account, was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:
Unauthorized ACH Transaction Report
Mystery Shopper Scam It's a new twist on the “fake check” scam: People across the country are receiving letters in the mail-accompanied by fat checks-inviting them to earn extra money as mystery shoppers.
The letter invites you to become a paid mystery shopper in your area, and the letterhead and check appear to come from a legitimate U.S. company. The listed phone numbers, however, originate in a foreign country.
Here's how it works: the letter instructs you to deposit the check- for, say, $3,750-into your checking account, wire $3,150 using a company like Western Union or Money Gram, keep $300 as pay, take out $200 for wiring fees, and use $100 to purchase merchandise.
Then you're told to contact the person named in the letter for further instructions. Sounds like an easy way to make money, right? But if you deposit the check, you'll get a notice from the bank that it bounced. And you're left holding the bag for the $3,750.00 !
Postal Inspectors advise that if you receive this offer, do NOT respond. Instead, report the incident to Postal Inspectors online or call US Postal Inspectors at 1-877-876-2455.
Be careful with your Debit Card.
Officials with the N.C. State Employees Credit Union released an alert warning their members about a scam involving the use of their ATM cards at Raleigh area gas pumps. Carolina Postal CU has NOT had any reports of this impacting any of our members but we wanted to make you aware of the security risk.
How to avoid the ATM 'skimming' scam:
- Use credit, instead of debit at gas pumps to avoid typing in your PIN.
- Use gas pumps that are closest to the station attendant. Skimmers typically put the devices on an outside pump, away from the building.
- When using an ATM, closely examine the card reader area of the machine. Look for devices that appear to be mounted on the exterior of the area, or if there is glue or tape residue around the card reader. If you notice any devices or if the ATM has been tampered with, call your local police.
- Check your financial information, accounts with credit unions and banks; credit and debit card transactions, daily.
Fake TEXT alerts - to consumers informing them that their debit card has been de-activated and asking them to call a phone number to reactivate it.
Anyone who receives an e-mail or text message that appears to be from a credit union or bank that asks for personal account information should consider it to be a fraudulent attempt to obtain their personal account data for an illegal purpose and should not follow the instructions in the e-mail.
CPCU does not ask members for personal information such as your account number, address, PIN, Social Security Number etc. Why would we? We have it already!
If you have received an e-mail or Text message and provided any confidential account information, please notify us immediately.
The phone numbers in the fake Text alert have been de-activated by the Federal Trade Commission for fraudulent activity.
Jury Scam Alert The phone rings, you pick it up, and the caller identifies himself as an officer of the court. He says you failed to report for jury duty and that a warrant is out for your arrest. You say you never received a notice. To clear it up, the caller says he'll need some information for "verification purposes"-your birth date, social security number, maybe even a credit card number.
This is when you should hang up the phone. It's a scam. Click here for the FBI website for more information.
Learn more about Protecting Your Personal & Financial Information!
With all the horror stories about ID Theft, hackers, and compromised data, do you ever wonder just what can you do to protect your personal and financial information? Carolina Postal has partnered with Digital Defense to bring you constant up-to-date free information on the pro-active steps you can take for your own protection. Please click here to learn more about protecting your private information.
Report lost or stolen ATM/Debit Cards:
(704) 392-6457 or (877) 392-6971
Internet/E-Mail Fraud Alert
Unfortunately, there are on-going multiple e-mail fraud attempts, known as "Phishing, that are initiated via e-mail sent to members of the general public that appear to be from different banks & credit unions. This scam e-mail asks for the recipient to click on a link to verify their account registration. If the recipient proceeds to do so, the link directs them to a false website and asks for their credit union account number and PIN, along with other personal information.
CPCU does not ask members for personal information such as your account number, address, social security number etc. Anyone who receives an e-mail that appears to be from CPCU and asks for account information should consider it to be a fraudulent attempt to obtain their personal account data for an illegal purpose and should not follow the instructions in the e-mail.
If you have responded to an e-mail and provided any confidential account information, please notify us immediately.
If you feel that you have received a fraudulent phishing e-mail from CPCU, please forward the entire e-mail message to firstname.lastname@example.org
Additionally, you can file formal complaints concerning any suspected fraudulent e-mail with the Internet Fraud Complaint Center (IFCC) at www.IC3.gov . The IFCC is a partnership between the Federal Bureau of Investigation, and the National White Collar Crime Center.
Store your ATM card in your purse or wallet, in an area where it won't get scratched or bent.
Get your card out BEFORE you approach the ATM. You'll be more vulnerable to attack if you're standing in front of the ATM, fumbling through your wallet for your card.
Stand directly in front of the ATM keypad when typing in your PIN. This prevents anyone waiting to use the machine from seeing your personal information.
After your transaction, take your receipt, card and money away. Do not stand in front of the machine and count your money.
If you are using a drive-up ATM, get your vehicle as close to the machine as possible to prevent anyone from coming up to your window. Also make sure that your doors are locked before you drive up to the machine.
Do not leave your car running while using a walk-up ATM. Take your keys with you and lock the doors before your transaction.
If someone or something makes you uncomfortable, cancel your transaction and leave the machine immediately. Follow up with your credit union to make sure the transaction was canceled and alert them to any suspicious people.
For safety reasons, ATM users should seek out a machine that is located in a well-lighted public place. Federal law requires that only the last four digits of the cardholder's account number be printed on the transaction receipt so that when a receipt is left at the machine location, the account number is secure. However the entry of your four-digit Personal Identification Number (PIN) on the keypad should still be obscured from observation, which can be done by positioning your hand and body in such a way that the PIN entry cannot be recorded by store cameras or store employees. The cardholder's PIN is not recorded in the journal but the account number is. If you protect your PIN, you protect your account.