Students with Notre Dame Federal Credit Union (NDFCU) bank accounts may have been victims of what appears to be a complex, multi-part Internet scam.
On Friday, NDFCU's Web site posted a message that warned members against clicking on certain links in e-mails ostensibly from the credit union that actually originated elsewhere.
"If you have received an e-mail message that appears to have originated from Notre Dame Federal Credit Union telling you that 'your access has been limited' or asking you to participate in a survey, please do not click on any links that ask for your personal information," the warning said.
That warning, it appears, could have played into the hands of the hacker's scheme.
By late Friday, some members received fraudulent e-mails - from an address that appears to users as alert@ndfcu.org - telling them that a computer with a foreign IP address had unsuccessfully attempted to access their online account.
The second wave of e-mails told members to "sign in to our secure server at onlinebanking.ndfcu.org and review your account(s) for any irregular activity. If you do not recognize any transactions, please contact us immediately at 800-835-5373."
Some members, perhaps concerned after seeing the warning posted on ndfcu.org, may have given more credence to the fraudulent e-mail that appeared to come from the NDFCU.
The phone number listed on the second set of e-mails is the correct national number for NDFCU, but the hyperlink redirects users to a non-NDFCU Web site designed to look exactly like the real NDFCU homepage - except that, as of press time, it lacked the warning message carried on the actual site.
The fake site, possibly as part of the scheme, prompted concerned members to re-enter sensitive information into the system, including their account number and password and their ATM card number, expiration date, security code and password.
NDFCU officials did not return Observer phone calls Sunday, and the institution had not updated its warning to include an update about the second wave of the scam.
University spokesman Don Wycliff had not heard of the scam and did not know how many students were affected.
The impersonalized e-mail with the fraudulent link rerouted members to a Web site where they initially entered their member numbers and passwords. The site then asked them to enter all the information related to their ATM cards.
Gordon Wishon, the University's chief information officer, said the criminal practice - known as phishing - is a common practice used to target national and local financial institutions.
"Scammers set up Web sites that look legitimate and they send out e-mails that look like their originated from the bank," Wishon said. "Most of the time, they are shotgunning, e-mailing thousands of addresses in hopes a few of them will actually have an account with the bank they're masquerading as."
The scam also appears to be using the University's online directory to get the e-mail addresses of students. Of those fraudulent e-mails viewed by The Observer, all were sent to the member's preferred e-mail address, as listed on nd.edu/directories, even when that person's registered e-mail address with NDFCU was different.
Wishon said he did not know where the fraud's perpetrators obtained the nd.edu e-mail addresses but that mass e-mail lists can be bought illicitly or stolen if the scammer "successfully penetrates a machine and harvests its entire address book."
He said that machine could have been a NDFCU computer or, just as easily, any computer with an ample Notre Dame e-mail contact list.
"Most likely, NDFCU had nothing to do with the incident and this spammer just shotgunned as many Notre Dame addresses as it could find," Wishon said.
Wishon said the University's Webmail security filters cannot catch every unsafe e-mail that may come in, but he gave students tips to identify potential Internet scams.
"We always recommend students not to click on links on e-mails," he said. "Very few financial institutions will actually communicate a personal information request via e-mail."
Ken Fowler contributed to this story.
