• NWLink Internet Banking
• Pick up eStatements
• Access Credit Card
• Apply for a Loan/Credit Card
• JOIN NWFCU NOW

• Products &
  Services
• Tools &
  Education
• Auto
  Services
• Real Estate
  Services
• Business
  Services
• Investments &
  Insurance & Tax
• NWFCU
  Foundation

Quick Links

• Fraud Prevention e-LERT
• iSekurity

New phishing attack targets online banking sessions with phony pop-ups

Researchers have discovered a new phishing attack method dubbed “in session phishing” designed to trick users into surrendering confidential information after they have logged on to an online banking, brokerage or other sensitive web site. This technique uses legitimate looking pop-up messages to request passwords and account numbers on behalf of the trusted website.

An attack of this nature would occur as follows:

• User logs onto their online banking site;
• While leaving this browser window open, the user then navigates to other websites;
• A short time later a pop-up appears, allegedly from the banking website, requesting the user retype their username and password because the session has expired, or to complete a customer satisfaction survey, or to participate in a promotion;
• Since the user had recently logged onto the online banking website, he/she will likely not suspect this pop-up is fraudulent and therefore provide the requested information.

In session phishing attacks inject legitimate websites with malicious JavaScript so that when a customer visits one of those sites, he/she gets targeted. Users can be violated by this malware because the weakness is in the user’s browser(ie: Internet Explorer, Firefox, Safari, Chrome) not the online banking company’s server. Since there is no malware infecting the user’s computer itself, in-session phishing attacks are especially dangerous and difficult for anti-malware tools to detect.

What can you do to protect yourself from an in session phishing scam?
First and foremost, be protective of all your personal and financial information. Keep in mind, Northwest Federal Credit Union (NWFCU) would never use a pop-up page to request your sensitive information.

It’s also important that you deploy browser security tools, log out of banking and other sensitive online sessions before going to other websites, and be suspicious of any pop-ups during a web session if you haven’t clicked on a hyperlink.

We also suggest you sign up for our Fraud Prevention e-LERT which will immediately advise you when we have added a new article or warning to the ‘Fraud Alert’ section of our website.

If you feel you’re a victim of this type of scam
Contact your financial institution immediately. If you suspect fraud or ID theft on your NWFCU account, email us at fraud@nwfcu.org.

Back to Top

Your Lifetime Financial Partner

©2010 Northwest Federal Credit Union - Privacy & Internet Policy - Security & Fraud Center