03 February 2023
Please be aware that a text message is circulating at the moment from fraudsters purporting to be the credit union. This message is not legitimate; we advise you to block the number and delete the message.
The message advises recipients that their credit union account has been placed on hold for a security update. The recipient is requested to verify their account by clicking on a link.
Please note that TUI credit union will never ask you to verify your account by such means.
Here are some examples of the types of messages that are being sent to members
Members are advised to exercise caution and please note the following:
- TUI Credit Union will never contact you and ask you for a code
- If anyone asks you to provide them with a code that has been sent to your phone, it is a scam
- Emails or SMS messages claiming that your account is locked or blocked are fake
- Messages that claim urgent action is required are generally fake
- Never click on links in messages. Always manually enter a web address into the address bar of your browser.
As we understand it, the attack process is as follows:
- Member receives SMS with an embedded link
- Member follows link to page(s) which requests information about the member and his/her credit union and credentials
- Member provides this information
- Attacker downloads the app for the identified Credit Union
- Attacker phones member masquerading as a Credit Union staff member
- Attacker enters the provided information (app still requires activation via SMS code)
- System sends activation code to member’s phone by SMS
- Attacker advises member that he is sending a code to the member’s phone
- Member reads back the code to the attacker
- Attacker activates app with provided code
- Attacker logs in to Online Banking as the member and sets up an external beneficiary (requires code to complete operation)
- System sends a code via push notification to the Mobile App
- Attacker receives code on the newly activated app and completes the beneficiary setup
- Attacker transfers funds from the members account to the newly set up beneficiary