Latest phishing scam targets Kaua'i
By Peter Boylan
Advertiser Staff Writer
By Peter Boylan
The Kaua'i Community Federal Credit Union yesterday became the latest Hawai'i financial institution to be targeted by phishing scams that have ensnared six local financial institutions to date.
"We regret to inform you that we had to lock your account access because we have reasons to believe that it may have been compromised by outside parties," said the message addressed to credit union customers from chris@chris man.com. "Click here now to reactivate your account access and confirm your identity by completing the secure form what [sic] will appear."
The Kaua'i credit union joined Hawaii State Federal Credit Union, Hawaiian Tel Federal Credit Union, Bank of Hawaii, First Hawaiian Bank and American Savings Bank as a target of a phishing scam within the past year.
Phishing — fraudulent e-mails sent to trick people into giving personal financial information — is a common practice among identity thieves and is difficult to prosecute, law enforcement officials say.
Honolulu police open 40 new identity theft cases a month, many of which began with phishing expeditions. Police take phishing complaints but do not open investigations unless a victim has lost money.
"We look at the headers to find out where it is coming from," said Detective Chris Duque, who specializes in cyber investigations and is assigned to the Honolulu Police Department's white-collar crime unit.
"If it falls within a jurisdiction where we can serve a subpoena, great. But if it's Lagos, Nigeria, forget it."
Duque added this advice: "Anything you see on the Internet should be like watching TV. Are you going to believe everything you see on TV? You have to use some common sense."
The problem continues to grow, but where some of the past messages were obvious scams coming from Europe or Africa soliciting help, recent messages appear to be more legitimate.
The e-mails look official, with logos of the institutions and requests to change passwords or confirm or update information.
"The best way to combat this stuff is education," said Edward A. Arias, supervisory special agent of the FBI Honolulu division's drug and cyber squads. "The bank is not going to send you an e-mail requesting your account or routing number and all kinds of personal information.
"Don't respond to any e-mails requesting personal information even if it seems like it is coming from a legitimate site. And don't open e-mail attachments or e-mails from people you don't know. It's a recipe for disaster."
The scams also present a problem for the institution named in the message.
Pauwilo Look, spokeswoman for the Hawai'i State Federal Credit Union, said remedying phishing schemes can tie up resources and manpower while frustrating customers.
"There is the internal mechanism that has to occur, getting security officers involved, notifying the proper sources and having it (the bogus collection site) disabled in a timely fashion," Look said.
The Kaua'i credit union placed a warning yesterday on its Web site, informing customers about the fraudulent message.
The Anti-Phishing Working Group, which tracks fraudulent e-mails and their trends, reported more than 20,109 phishing complaints nationwide in May, up from 17,490 in April.
Investigating phishing schemes is labor intensive, complicated, and rarely fruitful since the majority of the messages originate overseas, beyond the jurisdiction of local, state and federal law enforcement officers.
"If you have someone who is the victim of a phishing e-mail scam, the investigator is going to need the victim to save a copy of the e-mail because you need the e-mail header to trace the (Internet service provider) address in the header," said City Deputy Prosecutor Christopher Van Marter, who prosecutes identity theft cases.
"You'll trace it back and it (the bogus message) will go through three to four e-mail networks before it gets to the original computer, and that computer may be located in the U.S. or a foreign country. Then we have to subpoena the records of the Internet service provider who handles the computer (where the message was made), and then you may or may not have a suspect, and you have to place the suspect at the computer when the e-mail was created and when it was sent out.
"I would say this is a huge problem for law enforcement and financial institutions who are suffering huge financial losses as a result of this scam."Advertiser Staff Writer Greg Wiles contributed to this report.
Reach Peter Boylan at email@example.com.