Alert: E-mail phishing aimed at banking customers

October 15, 2007

ARLINGTON, Va. (Defense Finance and Accounting Service) – Customers of the DoD Community Bank and other institutions providing financial services to Department of Defense military and civilian personnel continue to be targeted with e-mail phishing campaigns which attempt to gather personal and account information.

The latest e-mail presents itself as originating from the “Military Bank of America” and asks recipients to click a link to update their account information due to an update of Web site features.

According to Bank of America officials, the e-mail is fraudulent and the site has been shut down.

“Alert customers reported this e-mail to the bank and another fraudulent site is closed for business,” said Pat Shine, DFAS Deputy Director for Operations. “But these phishing campaigns continue to be a concern and as soon as one fraudulent site is closed, the phishers have opened a new one. From our own online services, such as myPay , to the services offered by our contractors, security of customer personal and account information is our highest priority. This latest attempt to lure customers to give up this information is a great reminder that security is everyone’s responsibility.”

“Remember, legitimate businesses will not send you an e-mail asking you to go to a Web site to confirm or update account information. When you receive an e-mail like this, delete it,“ said Shine. “You are not being specifically targeted. The suspects spam this e-mail message to a large number of e-mail accounts in an attempt to convince unsuspecting victims to respond.”

Shine urged all customers to read and practice the following precautions on fraud prevention.

1. Does the e-mail ask you to go to a Web site and verify personal information? Legitimate businesses won't ask you to verify your personal information in response to an e-mail.

2. What is the tone of the mail? Most phish e-mails convey a sense of urgency by threatening discontinued service or information loss if you don't take immediate action.

3. What is the quality of the e-mail? Many phish e-mails have misspellings, bad grammar or poor punctuation.

4. Are the links in the e-mail valid? Deceptive links in phishing e-mails look like they are to a valid site, but deliver you to a fraudulent one. Many times you can see if the link is legitimate by just moving your mouse over the link.

5. Is the e-mail personalized with your name and applicable account information? Many phish e-mails use generic salutations and generic information (e.g., "Dear Customer" or "Dear Account Holder") instead of your name.

6. What is the sender's e-mail address? Many phish e-mails come from a personal e-mail address, not from the company represented in the e-mail.

7. When in doubt, type it out. If you suspect an e-mail to be phishing, don't click on any links in the e-mail. Type the valid address directly into your Web browser.

“You should never give anyone your user IDs or passwords, “Shine concluded. “In fact, anyone having suspicions that an e-mail message may not be ‘quite right’ should contact DFAS if it is about one of our services, or the appropriate commercial business immediately. Only by working together can we make sure information stays as safe and secure as possible.”