This article originally appeared in the January 15, 2006 issue of the Alaska Journal of Commerce.

Four times in five weeks, someone went phishing for information from Credit Union 1 members. It's likely that thousands of Alaskans received e-mail messages last month that aimed to bait them into giving up their log-in passwords, personal identification numbers and even credit card information.

When a member clicked on the link, he was taken to a Web site that closely resembled that of Credit Union 1, and was asked to supply names, phone numbers and e-mail addresses. Another field asked for credit card information, including expiration dates, ATM PINs and online passwords.
 
It was all a bad guy needed to make a fake credit card, or simply go online, and go on a shopping spree.

"A few fell for it," said CU1 spokesman Joe Morrison.
He wouldn't go into specifics, but Pat Berry, CU1's internal auditor and security officer, said a couple members had money stolen from their accounts.

Credit Union 1 isn't the only financial institution in Alaska targeted for phishing scams. Alaska USA Federal Credit Union and First National Bank were also targeted in 2005.

Odds are if you've got e-mail, you've gotten phished.

"People will use any underhanded method - fear, intimidation, build trust - to get people to divulge information," said Erik Bjella, spokesman for First Bank, based in Ketchikan.

The Anti-Phishing Working Group, an association focused on eliminating identity theft and fraud, received nearly 16,000 unique phishing reports in October alone. That's an increase from 13,600 received in September.

Some 87 percent of those scams targeted financial institutions, the group said.

What happens when you're phished
Most financial institutions have software that alerts staff of unusual activities, transactions such as several high-dollar transfers in one day or purchases in foreign countries.

If bank staff believes fraud is taking place, they may put a hold on the account and call the account holder asking if he, for example, is buying anything in Bolivia that day.

But bank officials say customers shouldn't rely on them to catch fraud. Customers should check their accounts often, at least once a week, for unusual activity.

Once you discover odd transactions, report it quickly so you can be protected under federal consumer protection guidelines, generally referred to as Regulation E.

Regulation E, officially the Electronic Fund Transfer Act, protects consumers against fraudulent use of their electronic transactions, such as for debit card purchases, automatic teller machine withdrawals or online money transfers. It does not cover paper-based activity, such as for stolen checks.
The regulation limits the consumer's liability generally to $50 - if the bank is notified within two days of realizing the fraud. Wait longer, and the liability increases, up to $500 in unauthorized activity.

Customers have 60 days to notify their banks if they see odd transactions on their mailed bank statements.
Credit card companies have their own procedures for fraud, and customers with unauthorized transactions generally have no liability.

As soon as the bank is notified, staff there will quickly work to stop the fraudulent activity - closing bank accounts or blocking card transactions, depending on the situation.
From there, most institutions in the state work with you to complete all the necessary paperwork, such as a police report, a written account of what happened and a written statement swearing you had nothing to do with the event.

They'll also work with you to ensure any outstanding transactions you tell them about are covered. Within 10 business days, financial institutions must refund the lost money, with the provision that their investigation shows you didn't actually commit the fraud.

Most local financial institutions said they try to provisionally refund the money right away.

Regulation E allows financial institutions 45 days to complete their investigations. Bank security officers get copies of signed transaction slips or ATM camera images, for example, to determine who took the money.

"The underlying assumption is that the customer is honest, and regulation E is there to protect them," said First Bank's Robert St.Clair. "But there may be things that tell you if someone is working the system."

If it's found that the customer was trying to scam the bank, they must return the money refunded to their accounts.
But when fraud does occur, bank security officers say getting their money back from the bad guys is often hopeless.

"It's not easy for me to get someone in Romania arrested," CU1's Berry said. "A lot of phishing scams are hard to solve."
Depending on the customer's history, institutions may not open another account or reissue a debit card.

"A debit card is not an entitlement," said Cherri Gillian of First National Bank of Alaska. "If there is evidence that security control was not used by the debit card holder, we can revoke it and-or not reissue one, that's part of the agreement. It's not often that we do that, but some people are irresponsible, like they have a checking account and it's someone who frequently overdrafts, you don't have to open another account for them.

"It exposes us and we're responsible for our shareholders' investments and out customers," Gillian said.

Paper fraud still leads
Despite growing fears about online fraud and identity theft, more people become victims of the age-old paper trail, a 2005 survey showed.

The survey, conducted by Javelin Strategy and Research, found that the most frequently reported source of information used in fraud was from a lost or stolen wallet or checkbook. Computer crimes accounted for less than 12 percent of the cases.

And half of the paper fraud cases were done by someone the victim knew, the survey found. The information was found in the garbage in about 4 percent of the cases.
"Internet fraud is a sexy thing, but dumpster diving also happens," said Keith Fernandez of Denali Alaskan Federal Credit Union. "There are all kinds of ways that people will try to steal from you."

Steps to avoid bank fraud and identity theft
Anyone who has a bank account should learn to protect themselves from phishing, online fraud and identity theft.
Here are some steps to take to avoid having your money and identity stolen.

• What's in your wallet? A recent national survey showed that the majority of fraud and identity theft cases resulted in lost or stolen wallets. Know what you're carrying, including credit and debit cards. And carry as few as possible.
   
• Where's your checkbook? With the growing prevalence of debit card use, checkbooks are going largely unused, and sometimes unaccounted for. If you rarely write a check, lock it up.
   
• The Secret PIN. Don't give your personal identification number to anyone, including children or friends. A 2005 survey showed that the majority of thefts were done by someone the victim knows.
   
• The Secret PIN 2. Don't write your PIN on the back of your card. If your card is lost or stolen, the finder will have access to your money.
   
• Sign for debits. Many financial institutions can flag your card to authorize only signature transactions. Signature-based transactions are routed through the credit card company, and consumers are generally not held liable for any amount of an unauthorized transaction. PIN-based transactions are routed through the bank, and federal regulations say that the victimized consumer will be liable for at least $50 of the amount stolen.
   
• Take a number. Make a list of the toll-free numbers on the backs of all your credit and debit cards. Put the list in a spot that's easily accessible, but away from your wallet or purse in case they are stolen.
   
• Set up alerts. Most banks and credit unions offer free e-mail alerts through their online banking service. Set up an alert your balances reaches below a certain point or if a certain amount of money is transferred.
   
• Foreign travel. If you're planning to travel outside the United States, call your financial institution. Otherwise, your account may be blocked while the bank tries to contact you believing unauthorized transactions are happening with your account.
   
• Check in. Check your account online at least once a week, and look for activity you didn't authorize. If you see anything odd, call the bank immediately.
   
• Be anti-phish. Never, ever respond to e-mails asking you to update account information. No legitimate company would ever e-mail asking for this type of personal information.
  
  Melissa Campbell can be reached at melissa.campbell@alaskajournal.com.
   

More Alaskan Experts >>