NFCU says "Nah, it's not really phishing, sorry..."

[Nords]

I got an e-mail from NFCU yesterday morning. At least, it claimed to be an e-mail from NFCU:

Quote:

Account has an NSF Check or ACH Debit

Your account, ending in , has a non-sufficient funds , in the amount of $. This item was presented for payment on , and subsequently returned for non-sufficient funds. A non-sufficient funds fee of $20.00 will be debited from your account. To view your account transaction history sign on to Navy Federal Online Account Access, www.navyfederal.org.

This e-mail has been sent to you based on the Member Notification preferences you previously established. If you would like to change your Member Notification preferences, please sign on to Navy Federal Online Account Access (www.navyfederal.org) and click on the Other Services link, go to the Member Notifications by E-Mail option, and then click on the Manage My Notifications tab.

Please Note: This Member Notification e-mail address is only used to generate Member Notifications. We will not read or respond to e-mails sent to this e-mail address. If you would like to contact Navy Federal with questions or comments, please sign on to Navy Federal Online Account Access (www.navyfederal.org) and click on the Check Messages link to send us an e-message.

My first thought was: "Damn, these sociopaths are good." The e-mail came with the proper header, it had an NFCU logo in the body, and it had the right look & feel. But I know that their URL is really www.navyfcu.org and I figured that if they were legit then they'd include my account number and the amount of the NSF or ACH issue.

Just to be sure I logged into our accounts and checked. Nope, we were fine. Some scumbag was definitely phishing. Slimy $%^&ers!

As an ever-vigilant customer I immediately forwarded the devious e-mail to NFCU's phishing address and received the following comforting response:

Quote:

Patricia Schneck/00/HQ/NFCU is out of the office.
I will be out of the office starting 07/29/2008 and will not return until
08/08/2008.
I will respond to your message when I return.

Great, thanks a lot guys. So I told the story to my spouse and our 15-year-old. I emphasized to our kid that this was the most sophisticated scam I'd ever seen and that she should make sure she only logged into her financial websites from her bookmarks, never from the e-mail links.

This morning I got the following from NFCU:

Quote:

Member Notification E-mail

This is to advise you that an E-mail notification was sent to you in error from Navy Federal. The E-mail subject states, “Account has an NSF Check or ACH Debit”. Please note this E-mail did not accurately reflect your account status. Please disregard it. We apologize for the inconvenience.

Whoa, pretty slick! Those phishers were trying even harder to gain our confidence. Everyone knows that NFCU would've used their website's "secure member communication" system for us to learn more about the problem. But when I'd logged into our accounts the other day, there was nothing. So I forwarded this second phish to NFCU, and received the following:

Quote:

Safioleas, George is out of the office.
I will be out of the office starting 08/07/2008 and will not return until
08/11/2008.

If you have any questions please contact Helen Barber at 43401.

Great. Feeling less than fully customer-served, I started the day's yardwork. 30 minutes later spouse came out with the phone and said "It's NFCU."

NFCU's (alleged) customer-service rep claimed that they really did send out both e-mails and that the first was sent in error. So sorry. Yes, navyfcu.org was their URL but they'd also purchased a bunch of similar-sounding URLs including navyfederal.org. And if I had any questions I should've contacted them.

I didn't even get into my previous experiences with NFCU's interactive phone system. I kvetched about the out-of-office replies, suggested that the NFCU website should be used to notify customers of this mistake, and told her that PenFed was looking pretty darn good about now. That was the first time in the conversation that a hint of contrition crept into her voice, but then again that was her job as NFCU's Chief Apologist. I suggested that she let management know that this 30-year customer was mighty unhappy about the whole thing and she agreed that she'd do that right away. Yep.

Somehow I'm not feeling like this customer has been satisfied. Serviced, maybe, but not satisfied.

Anyone else have this problem?

[RetiredGypsy]

I've never had a problem with NFCU. The customer service I've received, both at any of the branches I've been too and the 800 number, has been fantastic. That's why I've stuck with them even after hearing about PenFed (that, and I can't remember what club I have to join to get in, but still).

[Trek]

Quote:

Originally Posted by Nords

I emphasized to our kid that this was the most sophisticated scam I'd ever seen and that she should make sure she only logged into her financial websites from her bookmarks, never from the e-mail links.

I'm paranoid even of my bookmarks and address bar history. I always open a new browser and manually type in the address of all my financial institutions. I never use a link of any kind.

[donheff]

You gave good advice to your kid. You should never click on a link from email to access your banking accounts - even if you set your preferences to get email notifications from the institution. Some of the phishing scams are quite convincing.

Hey, maybe that woman wasn't really from NFCU - did she ask you to verify any info?

[Nords]

Quote:

Originally Posted by donheff

Hey, maybe that woman wasn't really from NFCU - did she ask you to verify any info?

I should've asked for her last four of her SSN and her date of birth...

I'm still steamed at the way they blew off their mistake, and at the 2x lack of response from their phishing e-mail address.

What appears to be even more annoying is that it hasn't happened to anyone else?

[CitricAcid]

There was a massive phishing scam for NDFCU (Notre Dame Federal Credit Union) which managed to get some 500 or so students with an account linked to an ND email. I got the same e-mail and managed to warn everyone I saw that morning, but it was a huge deal in the paper the next day. They did a very good job with the scam, they had a very similar website and completely mirrored the NDFCU page, so it was the exact same site (just obviously different owners). They asked for SSN and Account numbers too, which is never asked for, since you have a login and password. A lot of people fell for it, but hey I wasn't affected.

[OAG]

See what happens when you let Army guys (and gals) join up.