Text scam targets Golden 1 customers on heels of data theft from CalPERS, CalSTRS members

Cathie Anderson
·5 min read

Golden 1 Credit Union members in Sacramento took to social networking sites to report that they were being “smished.” That’s when scammers send fraudulent text messages to get people to reveal passwords, user names or other account information.

In a post on Nextdoor.com, a College Glen neighborhood resident stated that a friend told him: “Got a fraudulent text this morning saying my credit union (Golden One) had been blocked and offering a link to reopen it. The website was a .org and not correct. My credit union website, when I opened it directly, had a specific notice warning about recent reports about this text. G1 said they NEVER text members. So, be alert. Don’t click that link. Tell your family and friends about it.”

Both Golden 1 Credit Union and the Sacramento Police Department said they were aware of the attempts to collect usernames and passwords and get access to accounts. The credit union posted a link to information about it on its home page.

On Nextdoor.com, dozens of people responded to the post, saying they had gotten the message as well. A number of people said they’d received it, even though, they didn’t have a Golden 1 account.

In some replies, users speculated that this texting hoax could be related to a data breach that The Bee reported earlier this week. CalPERS and CalSTRS announced that a ransomware group hacked into a software application used by a vendor, RBI Research Services, and stole personally identifiable information such as social security numbers and birth dates belonging to a combined 1.2 million retirees and beneficiaries.

One cybersecurity expert, threat analyst Brett Callow of Emsisoft, said he wouldn’t be surprised to learn that the texts are indeed connected to the hack into the MoveIt data transfer software that RBI and other entities worldwide use to do business.

“Ultimately, that (stolen) information is likely to be used in frauds and scams,” Callow said. “That is the reason why data is stolen, or it’s part of the reason anyway. It’s used to commit identity-related fraud.”

Stolen data often used to commit identity-related fraud

These data breaches are just another way to get personal information into the hands of criminals, he said, but it’s not the only way.

He’s found Twitter users sharing photos of people’s driver’s license and passports. Callow said he reported it and shared Twitter’s response with The Bee: “After reviewing the available information, we want to let you know that (the account user) hasn’t broken our safety policies. We know this isn’t the answer you’re looking for. If this account breaks our policies in the future, we’ll let you know.”

It’s more important than ever, Callow said, that people and institutions be on the lookout for fraudulent activity. So far, 160-plus companies, government agencies and other entities around the world have reported being victims of the MoveIt data breach. More than 16 million people had their data stolen.

Sacramento Police said they have not received any crime reports related to the Golden 1 text messages. The type of fraud has come to be known as “smishing,” which combines the acronym used for texting — SMS, or short messaging service — with the word “phishing.”

In a statement emailed to The Bee, Golden 1 officials said that digital fraud is a growing problem and, unfortunately, large institutions and their customers are often targets.

“There has been a recent increase in scammers impersonating financial institutions in the Sacramento region using fraudulent text messages and phone calls,” the Golden 1 statement noted. “Given our strong market share in the region, we have received reports that some of our members have been contacted.”

How to protect yourself from text or phone scams

Golden 1 said if members are ever in doubt, they should call the company directly rather than clicking on a link in an email, texting, answering a suspicious phone call, or calling a phone number provided by the person contacting you. If you suspect a scam or fraud, use the mobile or online banking platforms to report it in the self-serve dispute system, or call member services at 877‑465‑3361.

Golden 1 and other experts also provided a list of red flags that signal trouble:

  • Emails, text messages, or phone calls asking for a one-time authentication code, your user ID and password for any accounts, code word, or your credit card or banking account details. No financial institution should ever initiate contact with you and then ask for login credentials or confidential information such as a PIN, password, or authentication code.

  • Messages with spelling, grammar, or punctuation errors.

  • Messages or phone calls that come from an unknown number. If the phone call appears to come from your financial institution, it is still worth verifying by reaching out to your financial intuition directly.

  • Messages or calls with threatening or high-pressure language.

  • Offers or opportunities that seem too good to be true.

  • Links to website addresses that are different from your company’s address. For instance, the link on the fraudulent Golden 1 text sent this user to a site with a .org domain. Golden 1 uses the .com domain.

There are also ways to slow down or defeat identity thieves:

  • Use strong passwords. When it comes to passwords, longer is better. There should be a mix of numbers, symbols and uppercase and lower case letters. There should be no tie to your personal information.

  • Enabling enhanced security measures such as two-factor authentication, where you have to get a text or email with a code to enter your account.

  • Sign up for alerts of suspicious or unusual activity.

  • If your institution allows it, put some controls on your account to limit the size of withdrawals or charges or to restrict which accounts are available for withdrawals.

  • Review accounts regularly for unusual activity, and check financial statements for any unauthorized charges frequently.

  • Get a copy of your credit report annually and check to see whether any unauthorized accounts have been opened in your name.

Scammers have gotten increasingly sophisticated, duplicating the look of institutions’ web pages, Callow said, so users have to look closely for signs of fraud and call their financial institution if they’re not sure.