A cleverly designed website steals IDs, passwords and PINs
The name and reputation of any company that handles sensitive information can be leveraged by cybercriminals in their phishing campaigns. A perfect example are the fake United Services Automobile Association (USAA) emails spotted by experts in the past days.The emails entitled “USAA – Account Security Update” read:
“We detected irregular activities on your USAA Internet Banking account. Your Internet banking account has been temporarily suspended for your protection, you must verify this activity before you can continue using your Internet banking account with USAA Bank.
Please follow the reference link below to verify your account.
Click here to verify [Link]
Security advice : Always log-off completely your Internet banking account after using internet banking from a public places or computer for security reasons.
USAA Internet Banking.”
Although the notification sounds legitimate, especially since there’s some good security advice included, its main goal is to lure users to a bogus USAA login page. Here, victims are asked to enter their IDs, passwords and PINs.
As GFI’s Jovi Umawing highlights, the legitimate USAA website doesn’t ask users to provide their PINs.
“PIN numbers can personally identify individuals and their owners must only have sole knowledge of them. Members must never disclose them to any service provider or individual. Likewise, service providers must never ask for them (as proof of membership) nor store them in any form,” Umawing explained.
The USAA mainly focuses on offering financial services to the members of the US military and their families, so these malicious emails might be part of a clever targeted attack.
On the other hand, starting with 2009, USAA started offering its services to non-military individuals as well, so this phishing campaign might also be aimed at regular users.
Whichever the case may be, experts advise internauts to be extra careful when presented with such emails. If you’re requested to visit a suspicious third-party website or provide sensitive information, you’re most likely dealing with a scam.