Cyber thieves make off with hundreds of thousands of dollars in attack targeting Coast Capital Savings

Coast Capital Savings says 140 members had money stolen fromtheir accounts during a targeted cyber fraud attack inNovember and December of last year.

The credit union doesn't know exactly how much is missing but said the lossto each victimwas "typically in the magnitude ofbetween$3,000 and $6,000," meaningthieves got away withmany hundreds of thousands of dollars.

Dave Cunningham, Coast Capital's vice president of public affairs and communications says an investigation initiallyrevealed that criminals gained valid online account and password numbers using two different methods.

The first wasa "phishing attack" where fake emails and texts were sent to members asking for security information. The second is described asa "brute force" attack where the fraudsters used a computer program to "guess" account passwords.

"What we know is that these attacks were not a breach or a hack in the sense of unauthorized access of Coast Capital systems," saidCunningham.

Cunningham said there was a third type of scam where scammers called customers via telephone and impersonated trusted sources.

"We've also seen cases where they're doing just old fashioned impersonation social engineering, calling up people trying to trick them by pretending theyare from a charity or a hospital or some other trusted source like that."

It's unclear exactly how the fraudsters found out the phone numbers and emails of Coast Capital members, as the credit union says they did not suffer a personal information breach.

Out $10K

Personal trainer Carrie Light had $10,000 disappearfrom her business account on Nov. 23in two fraudulent e-transfers.She says the credit union hasn't been able to tell herhow thieves got access to her money, nor if she will be reimbursed.

Light said she only learned of the theft when her adult son in Manitobareceived a strange message that made it seem like she was trying to transfer him $10,000.

"He saw [the message]and thinks I'm not going to open this, because it's crazy that my Mom's suddenly going to be transferring me $10,000 without my even knowing. So he called me ... and we called Coast Capital ... That money was long gone," said Light.

Phishing victim

In a separate incident, a Langley teenager lost $5,800after falling for thephishing scam.

The girl, who doesn't want to be identified, received a text message on Nov. 23 that appeared to be from Coast Capital asking her to enable her online banking.

The text brought her to a page that looked similar to Coast Capital's site, and she entered her account number and password.

Seventy minutes after thieves cleaned her out of all but $200, she received a call saying there had beensuspicious activity on the account. The $5,800 had been transferred to a travel agent's account that was also fraudulent.

'Terrible error'

The teen's father told CBC that"obviously she made a terrible error" in falling for the phishing scam, but believes that Coast Capital needs to do better safeguarding member accounts.

He says he's since discovered that there were no security questions for thieves to bypass something that other banks have in place when a strange IP address tries to access an account.

The father is also raising concernsthat the seven digit password is far too easy for criminals to crack.

"No letters, no capitals, no symbols," he said. "The teller told her on the day sheactivated her online banking that she should use a phone number. I did not believe she was given such terrible advice."

Cunningham said Coast Capital encourages clients to choose a complex numerical passwordand says the company is always looking for ways to improve security.

"Our systems are secure and our networks are safe," he said. "This is an issue that unfortunately happens at a lot of organizations these days where [criminals] are targeting individuals directly trying to trick them into giving up their information."

The credit union will begincontactingthose who were ripped off in the next few days to let them know if they will be reimbursed.

"We've been reviewing each of these incidents on a case-by-case basis, because the circumstances do vary from one to the other," said Cunningham.

The RCMP is also investigating.

Coast Capital has 555,000 members and 52 branches in Metro Vancouver, the Fraser Valley, Vancouver Island and Okanagan regions of B.C.