British Columbia

Cyber thieves make off with hundreds of thousands of dollars in attack targeting Coast Capital Savings

The RCMP and the credit union are investigating after 140 members were robbed in "phishing" and "brute force" cyber attacks.

140 credit union members robbed in 'phishing' and 'brute force' cyber attack

Coast Capital Savings says over 120 clients had money stolen after thieves gained account numbers and passwords through phishing scams and other methods. (CBC News)

Coast Capital Savings says 140 members had money stolen from their accounts during a targeted cyber fraud attack in November and December of last year. 

The credit union doesn't know exactly how much is missing but said the loss to each victim was "typically in the magnitude of between $3,000 and $6,000," meaning thieves got away with many hundreds of thousands of dollars.

Dave Cunningham, Coast Capital's vice president of public affairs and communications says an investigation initially revealed that criminals gained valid online account and password numbers using two different methods. 

The first was a "phishing attack" where fake emails and texts were sent to members asking for security information. The second is described as a "brute force" attack where the fraudsters used a computer program to "guess" account passwords. 

"What we know is that these attacks were not a breach or a hack in the sense of unauthorized access of Coast Capital systems," said Cunningham.

Cunningham said there was a third type of scam where scammers called customers via telephone and impersonated trusted sources. 

"We've also seen cases where they're doing just old fashioned impersonation social engineering, calling up people trying to trick them by pretending they are from a charity or a hospital or some other trusted source like that."

It's unclear exactly how the fraudsters found out the phone numbers and emails of Coast Capital members, as the credit union says they did not suffer a personal information breach. 

Out $10K

Personal trainer Carrie Light had $10,000 disappear from her business account on Nov. 23 in two fraudulent e-transfers. She says the credit union hasn't been able to tell her how thieves got access to her money, nor if she will be reimbursed. 

A screen capture of one of the text phishing scams to hit members of Coast Capital Savings Credit Union. (Coast Capital Savings)

Light said she only learned of the theft when her adult son in Manitoba received a strange message that made it seem like she was trying to transfer him $10,000.

"He saw [the message] and thinks I'm not going to open this, because it's crazy that my Mom's suddenly going to be transferring me $10,000 without my even knowing. So he called me ... and we called Coast Capital ... That money was long gone," said Light.

Phishing victim

In a separate incident, a Langley teenager lost $5,800 after falling for the phishing scam.

The girl, who doesn't want to be identified, received a text message on Nov. 23 that appeared to be from Coast Capital asking her to enable her online banking.

The text brought her to a page that looked similar to Coast Capital's site, and she entered her account number and password.

Seventy minutes after thieves cleaned her out of all but $200, she received a call saying there had been suspicious activity on the account. The $5,800 had been transferred to a travel agent's account that was also fraudulent.

'Terrible error'

The teen's father told CBC that "obviously she made a terrible error" in falling for the phishing scam, but believes that Coast Capital needs to do better safeguarding member accounts. 

He says he's since discovered that there were no security questions for thieves to bypass — something that other banks have in place when a strange IP address tries to access an account.

The father is also raising concerns that the seven digit password is far too easy for criminals to crack.

"No letters, no capitals, no symbols," he said. "The teller told her on the day she activated her online banking that she should use a phone number. I did not believe she was given such terrible advice."

Cunningham said Coast Capital encourages clients to choose a complex numerical password and says the company is always looking for ways to improve security. 

"Our systems are secure and our networks are safe," he said. "This is an issue that unfortunately happens at a lot of organizations these days where [criminals] are targeting individuals directly trying to trick them into giving up their information."

The credit union will begin contacting those who were ripped off in the next few days to let them know if they will be reimbursed.

"We've been reviewing each of these incidents on a case-by-case basis, because the circumstances do vary from one to the other," said Cunningham.

The RCMP is also investigating.

Coast Capital has 555,000 members and 52 branches in Metro Vancouver, the Fraser Valley, Vancouver Island and Okanagan regions of B.C.

With files from Meera Bains