2011 January 12 by Richard Lester
January 12, 2013 – The Federal Deposit Insurance Corporation (FDIC) has received numerous reports from consumers who received an e-mail that has the appearance of being sent from the FDIC. The e-mail informs the recipient that “in cooperation with the Department of Homeland Security, federal, state and local governments…” the FDIC has withdrawn deposit insurance from the recipient’s account “due to account activity that violates the Patriot Act.” It further states deposit insurance will remain suspended until identity and account information can be verified using a system called “IDVerify.” If consumers go to the link provided in the e-mail, it is suspected they will be asked for personal or confidential information, or malicious software may be loaded onto the recipient’s computer.
This e-mail is fraudulent. It was not sent by the FDIC. It is an attempt to obtain personal information from consumers. Financial institutions and consumers should NOT access the link provided within the body of the e-mail and should NOT under any circumstances provide any personal information through this media.
The FDIC is attempting to identify the source of the e-mails and disrupt the transmission. Until this is achieved, consumers are asked to report any similar attempts to obtain this information to the FDIC by sending information to email@example.com.
For your reference, FDIC Special Alerts may be accessed from the FDIC’s Web site at www.fdic.gov/news/news/SpecialAlert/2011/index.html. To learn how to automatically receive FDIC Special Alerts through e-mail, please visit www.fdic.gov/about/subscriptions/index.html.
|Sandra L. Thompson|
|Director Division of Supervision and Consumer Protection|
Distribution: FDIC-Supervised Banks (Commercial and Savings)
Note: Paper copies of FDIC Special Alerts may be obtained through the FDIC’s Public Information Center, 877-275-3342 or 703-562-2200.
2010 November 11 by Richard Lester
November 11, 2013 – All funds in a “noninterest-bearing transaction account” are insured in full by the Federal Deposit Insurance Corporation from December 31, 2010, through December 31, 2012. This temporary unlimited coverage is in addition to, and separate from, the coverage of at least $250,000 available to depositors under the FDIC’s general deposit insurance rules.
The term “noninterest-bearing transaction account” includes a traditional checking account or demand deposit account on which the insured depository institution pays no interest. It does not include other accounts, such as traditional checking or demand deposit accounts that may earn interest, NOW accounts, money-market deposit accounts, and Interest on Lawyers Trust Accounts (“IOLTAs”).
For more information about temporary FDIC insurance coverage of transaction accounts, visit www.fdic.gov.
2010 June 5 by Richard Lester
June 5, 2010 – The term “phishing” — as in fishing for confidential information — refers to a scam that encompasses fraudulently obtaining and using an individual’s personal or financial information. This is how it works:
- A consumer receives an e-mail which appears to originate from a financial institution, government agency, or other well-known/reputable entity.
- The message describes an urgent reason you must “verify” or “re-submit” personal or confidential information by clicking on a link embedded in the message.
- The provided link appears to be the Web site of the financial institution, government agency or other well-known/reputable entity, but in “phishing” scams, the Web site belongs to the
- Once inside the fraudulent web site, the consumer may be asked to provide Social Security numbers, account numbers, passwords or other information used to identify the consumer, such as the maiden name of the consumer’s mother or the consumer’s place of birth.
- When the consumer provides the information, those perpetrating the fraud can begin to access consumer accounts or assume the person’s identity.
If you suspect an e-mail or Web site is fraudulent, please report this information to the real bank, company or government agency, using a phone number or e-mail address from a reliable source. Example: If your bank’s Web page looks different or unusual, contact the institution directly to confirm that you haven’t landed on a copycat Web site set up by criminals. Also, contact the Internet Crime Complaint Center (http://www.ic3.gov/), a partnership between the FBI and the National White Collar Crime Center.
If you suspect that you have been a victim of identity theft, perhaps because you submitted personal information in response to a suspicious, unsolicited e-mail or you see unauthorized charges on your credit card, immediately contact your financial institution and, if necessary, close existing accounts and open new ones. Also contact the police and request a copy of any police report or case number for later reference. In addition, call the three major credit bureaus (Equifax at 800-525-6285, Experian at 888-397-3742 and TransUnion at 800-680-7289) to request that a fraud alert be placed on your credit report.
Pharming is an attack on personal information used over the internet. A user can be fooled into entering sensitive data such as a password or credit card number into a malicious web site that impersonates a legitimate web site. It is different than phishing in that the attacker does not to rely on the user clicking a link in an email to deceive the user. If the user correctly enters a URL (web address) into a browser’s address bar, the attacker can still redirect the user to a malicious web site.
How can you protect yourself?
Only use pharming-conscious or (PhC) web sites. A PhC web site uses a secure connection to prevent other web sites from impersonating it. PhC web sites typically use the HTTPS web protocol on their login page to allow the user to verify the web site’s identity. If an attacker attempts to impersonate a PhC web site, the user will receive a message from the browser indicating that the web site’s “certificate” does not match the address being visited. Users should NEVER click “Yes” in response to such a window because they may get deceived by a pharming attack.
On October 12, 2005, the Federal Financial Institutions Examination Council (FFIEC) released an updated guidance on the risks and risk management controls necessary to authenticate the identity of customers accessing Internet-based financial services. The guidance, Authentication in an Internet Banking Environment, was issued to reflect the many significant legal and technological changes regarding the protection of customer information, increasing incidents of identity theft and fraud, and the introduction of improved authentication technologies and other risk mitigation strategies.
The growth of Internet banking and other electronic banking activities as well as the increased sophistication of threats to those environments have resulted in higher risks for financial institutions and their customers. An effective authentication system is crucial for the ability of financial institutions to comply with requirements in order to safeguard customer information. This system reduces fraud and the theft of sensitive customer information, which is often the precursor to identity theft, and promotes legal enforceability of financial institutions’ electronic agreements and transactions.
What is Multi-Factor Authentication (MFA)?
To access many online systems today, users commonly utilize an ID and password combination to identify (authenticate) themselves. This is considered “single factor authentication,” one of three basic “factors” used in authentication methodologies. The multi-factor program includes the following data:
1. What an individual knows — information that only a person knows (i.e. ID/ password, PIN, etc.).
2. What an individual has — something physical and unique a person possesses (i.e. token, smart card, ATM card, individual workstation computer, etc.).
3. What an individual is — a physical attribute unique to a person (i.e. a fingerprint, voice-print, eye-retina structure, etc.).
For additional information and resources regarding Identity Theft, please refer to the following Federal Trade Commission website. http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.shtm