Honolulu police are warning consumers and local banks about a new wave of out-of-state cybercriminals bent on stealing financial information and money in a scam known as "spear phishing."
The Honolulu Police Department’s Financial Crimes Detail has received about 10 complaints this year involving spear phishing, in which criminals gain access to information from a consumer’s computer and use it to steal money from known bank accounts or commit other crimes.
HPD received no such complaints last year, said Lt. John McCarthy, who heads the Financial Crimes Detail of the Criminal Investigation Division.
Don’t get speared
Honolulu police and Bank of Hawaii offered these tips for Hawaii consumers to avoid being victims of cybercriminals who penetrate financial accounts and transfer money to other accounts:
>> Don’t use your private email to instruct your bank what to do with your money, especially from free, Web-based email service such as Gmail, Yahoo or Hotmail. Conduct communications with your bank in person, by phone or through your bank’s secure online banking site that requires you to sign in.
>> Never provide any sensitive financial information to someone you don’t know, either via email or by phone, unless you are absolutely certain it is a bank employee. If you’re not sure, call the bank and ask for that employee by name. Never give out a password; a bank employee will never ask you for your password.
>> Keep your anti-virus, spyware or computer security programs updated.
>> Do not use the Internet via your administrator account.
>> Use strong passwords with a combination of numbers and upper- and lower-case letters.
Source: Honolulu Police Department; Bank of Hawaii
|
In two instances this year, local banks transferred more than $100,000 to non-U.S. bank accounts after receiving what appeared to be emails from customers requesting such a transfer, McCarthy said.
The emails, in fact, were phonies that came from cybercriminals who had cloned legitimate email addresses, he said.
In at least one of the cases, the bank customer and the bank had exchanged email about a money transfer in the past, McCarthy said.
What makes spear phishing different from a typical phishing scheme — in which a criminal broadcasts a fake come-on to a wide audience — is that the criminal targets specific people, penetrating their computers to gain access to sensitive financial information such as bank accounts, McCarthy said.
"The crooks have really gotten sophisticated. The spear phishing targets a specific group," he said. "They have to know what your bank is. They know there’s money there."
Banks don’t always report the crime because the scheme often involves sending money out of the United States, and there is little authorities can do to recover money transferred out of the country, he said. "Once you wire that money, it is gone, it ain’t coming back," McCarthy said.
Banks typically end up compensating the victims. "The local victim will never lose money; the banks are at fault for that," McCarthy said. "The institutions have to replace the money."
McCarthy and Gary Fujitani, executive secretary of the Hawaii Bankers Association, said communicating with your bank via email is a no-no, especially when it comes to money transactions.
"If a bank acted on an email, that would surprise me because obviously email is not a secure method of communication, let alone a situation where you’re going to transfer money," Fujitani said.
At the very least, a bank getting such an email request should verify it by calling up and speaking to the customer, he said.
Some financial institutions will try to verify an email seeking a transfer of money before actually going forward with such a requested transaction, and more have begun doing so recently, McCarthy said. "Some of the financial institutions, this is where they’re to blame. Their security levels are low."
Brian Ishikawa, Bank of Hawaii’s senior vice president of corporate security, said the bank has received "a few emails" of the type described by McCarthy. Some ask for wire transfers abroad, while others simply ask for account balances, presumably with the intention of asking that money be sent abroad later, he said.
When such a request does come via email, bank employees are instructed to call the customer at a telephone number kept on file, Ishikawa said.
"I think there’s a fear right now that it will increase to the numbers that mainland banks are experiencing," he said.
Bank of Hawaii’s information technology staff has also received reports from customers and others about such emails, he said. Some customers are getting their email accounts spoofed by cybercriminals who create an email account nearly identical to their own legitimate accounts, while others are finding their actual email accounts have been hacked into and then controlled by someone with ill intent, Ishikawa said.
Ishikawa urged consumers to be wary of suspicious, unsolicited emails coming from what appears to be a bank or even a government agency such as the Internal Revenue Service or the U.S. Postal Service. People should be wary of emails asking that they click on a link to find more information or asking for sensitive information.
First Hawaiian Bank spokesman Brandt Farias said in a written statement that the bank has not seen any recent increase in phishing in general or spear phishing in particular.
"The good news is that our customers and employees are becoming more adept at dealing with this kind of activity and merely delete these emails if they are not sure about the credibility or authenticity of the sender," Farias said.
