State rates high in e-mail scams
By Greg Wiles
Advertiser Staff Writer
By Greg Wiles
Hawai'i is near the top of states most often hit with phishing e-mails, or messages seeking to trick people into giving up personal information.
A recent spate of messages pretending to be from local credit unions is the cause. A dozen or more Hawai'i residents were tricked into responding, some having their accounts pilfered, according to interviews with several of the credit unions involved.
The scam e-mails typically get people to click on a link by saying there is a problem with their account or that they will get $50 for filling out a survey. The links generally take people to counterfeit Web sites that ask for names, account numbers, passwords and other information, such as Social Security numbers.
A ranking by Internet Identity, a Tacoma, Wash.-based company that helps companies mitigate problems with the misleading e-mails, said Hawai'i has been a "hot spot" for Web thieves seeking to steal account information by getting people to respond to the messages.
"I would say on a per-capita basis Hawai'i is right at the top, or near the top, as far as being hit," said Rod Rasmussen, director of operations for Internet Identity. "There definitely seems to be a concentration of phishing in Hawai'i."
Since the start of August, Web con-men have sent e-mails purporting to be from at least eight Hawai'i credit unions. While people as far away as Connecticut have reported receiving the phony messages, many more may have been targeted at e-mail addresses pirated from local sites.
"There is a group or groups that are clearly interested in Hawai'i," said Ken Newman, American Savings Bank vice president of security. He said the crooks may believe some of the institutions being targeted may have less-suspecting customers or that the credit unions may not have processes in place to get false Web sites bearing their names taken down quickly.
CLUES HINT AT LOCAL LINK
Anthony Giandomenico, president of Secure DNA, a Honolulu-based network security consulting company, said cyber criminals may just now be getting around to Hawai'i after hitting many Mainland locales. At the same time, though, he believes the person or persons responsible may be in the state.
He and Rasmussen said they didn't have hard evidence to back up their assertion, yet there are traits of the attacks that lead them to think they are locally based. They include perpetrators' knowledge of which companies or institutions are large enough to make it worthwhile to harvest e-mail addresses from and their ability to find names of credit unions to attack.
Among people receiving phishing e-mails in recent attacks include dozens of people at The Honolulu Advertiser and thousands at the state Department of Education.
"We've been getting a lot of phishing e-mail," said K. Kim, telecom director for the Education Department. Fortunately for teachers and others, most of this never reaches their regular inboxes because the department employs a company that scans the mail and quarantines fraudulent messages.
Rasmussen said the attackers also may use people who are locally based to pull money from accounts using ATM cards they make. He suspects the phishing perpetrators may be linked with others in Hawai'i who are tied up with identity theft and methamphetamine use. "There's nothing like someone on meth staying up all night and being really meticulous," Rasmussen said.
E-MAILS FROM ABROAD
But for now there's nothing yet to tie attacks to local criminals.
Honolulu Police Department Detective Chris Duque said much of the phishing has come from foreign countries. Tracking down phishing criminals remains an extremely difficult task because the criminals can use stolen Internet accounts and computers to find other computers from which they can send fake e-mails and host sham Web pages.
They also can buy e-mail address lists, and software to generate lists.
Credit unions generally agree the attacks will end once people quit responding to the e-mail. Over the past few months they've been trying to teach members to ignore the fake e-mails and to never click on a link contained in one. They tell customers that the credit unions never ask for personal information via e-mail or over the telephone.
"If they stop responding, then the phishing attacks will stop," said Paulette Ito, vice president of marketing and information technology for Hawaiian Tel Federal Credit Union. If criminals are successful, "they just continue to do more of them."
Hawaiian Tel, Honolulu Federal Credit Union, Kauai Community Federal Credit Union and Hawaii State Federal Credit Union were among the first to see the phishing attempts and have members lose money to the scams. Others were more fortunate — Pearl Harbor Federal Credit Union watched others get hit and lined up a vendor it could turn to when an attack came.
That occurred last week, when at least three phishing e-mails were sent using its name. The credit union said that within four hours of the attacks, it was able to get a fake Web site that had been created to collect account information taken down.
It cost the credit union $400 to have the site taken down. Hawaiian Tel Federal Credit Union has a $500 a month contract with a vendor to take down malicious sites linked to phishing e-mails.
"I liken it to a cost of doing business," Ito said.
Credit unions said they try to reimburse people for losses or are checking with their insurance companies to see if this is covered. They also close down victims' accounts and open new ones for them.
But the victims' free pass may change as time goes by and as insurance companies tighten their policies. Credit unions and banks also are moving to increase security with more authentication requirements after federal regulators required them to do so by the end of this year.
Instead of just knowing your user name and password, you may be required to answer a question before you can access your account.
"We're not surprised totally that there's a surge in the phishing activity," said Pauwilo Look, Hawaii State Federal Credit Union spokeswoman. The added authentication "will help to eliminate portions of it."
For now and in the future, education remains the best defense for consumers and credit unions.
"We just need to continually educate people about that," said Mel Chiba, president of Kauai Community Federal Credit Union.
Reach Greg Wiles at email@example.com.