Scam Alert

Reported May 22, 2008

Commonwealth Credit Union has been made aware that some of our members are receiving a fraudulent email claiming to be from us. This phishing email indicates that we have established a special message that can be accessed by following a link embedded in the email. The link leads to a page that appears to be a Commonwealth Credit Union home banking login screen and asks for a member ID number, PIN, and for the member to type in the random code.

This is a fraudulent phishing email and is NOT from Commonwealth Credit Union. There are several ways to identify this as a scam. First, there is no security “lock” icon on the screen to indicate that the login screen is a secure site. The email address also begins with http instead of https, indicating this is not a secure site. Commonwealth Credit Union’s Home Banking site is a secure site on a secure web server.

Second, the “random code” that appears is identical each time the link is clicked (f 92ts). The random code that appears on our site is a true random code that changes each time the page is accessed.

Third, the “security key” is missing from this page. The security key is a special codeword that our Home Banking users create for themselves and which appears on the screen when they access the site. This is another of the multi-factor authentication devices that we have implemented to help our members avoid fraudulent email phishing scams like this one.

When receiving emails like this, keep in mind that Commonwealth Credit Union does not send out such emails with embedded links that ask you to enter your specific member information, PIN, etc. Also, although the embedded link in this email appears to be from www.ccuky.org, a simple way to prove this is to place your mouse over the link and let it hover there a moment. The true address will pop up and show the true address of the link. What you see is not always what you get!

Our sincere thanks to the members who forwarded this email to us so that we can warn our other members about this phishing scam. If you ever have any doubt or concern about any email communication you receive from us, please feel free to contact us at our published phone numbers: 800.228.6420 or 502.564.4775.

*****TEXT OF THE SCAM EMAIL APPEARS BELOW*****

Dear Commonwealth Credit Union Member,

You have one new message at Commonwealth Credit Union.

In order to read the message click the link below to login at
CU@Home Account and access your MAIL section:
https://www.ccuky.org/Login.htm

© 2008 Commonwealth Credit Union.
PO Box 978, Frankfort,KY 40602-0978

If you responded to the above email, notify us immediately. In addition, you may want to do the following:

Log onto www.ccuky.org and click on Security Alert. This will take you to the Identity Theft Coach and a link to the Federal Trade Commission (FTC) website and link to the following publication: Identity Theft Kentucky Victim Kit at http://ag.ky.gov/consumer/identity . You may also refer to the following Web site – www.consumer.gov/idtheft. These resources can provide you with step-by-step assistance in handling identity theft as the following:

Contact one of the three major credit bureaus and request that the credit bureaus place a “fraud alert” and a “victim’s statement” in your credit file. (The credit bureaus will notify the other two bureaus of the Fraud Alert.) The following are the phone numbers of the three national credit bureaus:

Equifax (800) 525-6285;
Experian (888) 397-3742; and,
Trans Union (800) 680-7289;

Request from the credit bureaus a free credit report. Credit bureaus must provide a free credit report if you believe the report is inaccurate due to fraud;
Review the credit reports in detail to determine if any fraudulent accounts have been established. Determine if any unknown inquiries have been made. Unknown inquiries may be indicators of someone attempting to establish a fraudulent account;
Contact all financial institutions and creditors where you have accounts. Request that they restrict access to the account, change any password or close the account altogether, if there is evidence that the account has been the target of identity theft;
File a police report to document the crime; and,
Contact the Federal Trade Commission Identity Theft Hotline at (877) ID-THEFT (438-4338). The FTC puts the information into a secure consumer fraud database and shares it with local, state and federal law enforcement agencies.