Fraudulent E-Mails Claim to Be From the FDIC

Con artists know that people trust the FDIC name. That's why the FDIC wants you know that, in recent months, thieves have used our name in fraudulent e-mails trying to obtain valuable information from consumers and businesses.

In some examples, e-mails appearing to be from the FDIC encouraged recipients to click on a link to "enroll" in an "FDIC protection system" to insure bank accounts. Once on that next page — a fake FDIC Web site — people were directed to provide confidential information about their online bank account. Other fraudulent e-mails claiming to be from the FDIC asked consumers to download software supposedly needed to prevent online banking fraud. In fact, doing so would install malicious software that can collect confidential information used to access online bank accounts or steal identities.

How can you protect yourself from these fraudulent e-mails? "First, remember that the FDIC does not e-mail consumers to request personal information nor does it provide software for banking or security purposes," explained Michael Benardo, manager of the FDIC's financial crimes section. "If you get this sort of e-mail appearing to be from the FDIC, you should assume that it is fraudulent."

To report a fraud or get additional information, send an e-mail to the FDIC financial crimes unit at alert@fdic.gov or call the FDIC toll-free at 1-877-ASK-FDIC (1-877-275-3342).

Beware of Phone-Based "Vishing" Scams

The FDIC has warned numerous times about "phishing" scams in which crooks send e-mails claiming to be from legitimate financial institutions, companies or government agencies asking consumers to "verify" or "re-submit" confidential information such as bank account and credit card numbers, Social Security Numbers, passwords and personal identification numbers. (The term "phishing" is a high-tech variation of the concept of "fishing" for personal information.) Now, the FDIC wants you to know about "vishing," which stands for "voice phishing."

In the typical vishing scam, consumers receive an e-mail supposedly from a financial institution or government agency asking them to call a phone number to provide bank account and other "needed" information using their telephone keypad. Once entered into the automated response system, the information can be used by the crooks to gain unauthorized access to bank accounts or commit identity theft.

The bottom line: Don't call telephone numbers provided in unsolicited e-mails to provide personal identification. When in doubt, contact your financial institution using the telephone number provided in your monthly statements or on the back of your credit or debit card — NOT the number listed in the e-mail.

New Safety Procedures for Internet Banking

Here is both a reminder to Internet banking customers be on the lookout for new safety procedures required by the federal government, and a warning that fraud artists may try to take advantage of the situation to trick consumers into divulging valuable personal information.

As previously reported in FDIC Consumer News, starting January 1, 2007, new federal guidelines will require banks to protect high-risk Internet services by using more than just passwords to identify real customers from hackers. Banks will have a variety of options, some of which will operate behind the scenes, but others will be noticeable to customers, such as using "tokens" that generate a unique access number for each Internet transaction or requiring answers to detailed questions before giving access to an account.

"Whatever system your bank chooses, it will most likely contact you by letter or e-mail to advise you of the enhanced security procedures and what you may need to do," said Jeff Kopchik, a Senior Policy Analyst for technology issues at the FDIC.

In that regard, the FDIC and other banking regulators are concerned that thieves posing as bankers will e-mail or call consumers asking them to "enroll" in the new security program by providing personal information (such as a password) or clicking on a link in an e-mail that appears to be legitimate but actually gives the crooks the ability to spy on a personal computer. "Don't be fooled by these e-mails or phone calls," Kopchik said. "Your bank will never contact you to ask for your password because it already knows that information. You also should always go to your bank's Web site by typing in the correct Internet address yourself, not by following a link in an unsolicited e-mail, which may be fraudulent."

For more about the new guidelines, see our report in the Winter 2005/2006 FDIC Consumer News, online at www.fdic.gov/consumers/consumer/news/cnwin0506/procedures.html.