I just got an email from an organization called NACHA that claims I have a failed ACH automatic payment transaction. Well, I do pay some bills through electronic funds transfer, but I’m confused: why wouldn’t this message have come from my bank rather than some central organization. Is it a scam?
Yes. It’s bogus and you should not click on any links or respond to it in any manner.
Still, I have to give the hackers who originated this scam message credit, it’s an original approach to what appears to be an attempt to actually install a virus or some spyware onto recipient computers. At this point in time, just about everyone has some sort of automatic payments that they make to pay for bills, mortgage, insurance, or similar. Whether most people know that electronic transactions are paid through a central organization called the NACHA, The Electronic Payments Organization, is another story, but still, it’s definitely smart of them to reference the group.
I also received one of these messages and here’s what that one said:
The ACH transaction (ID: 0587369056092), recently sent from your checking account (by you or any other person), was rejected by the other financial institution.
Rejected transaction
Transaction ID: 0587369056092
Reason of rejection See details in the report below
Transaction Report report_0587369056092.doc (Microsoft Word Document)
About NACHA
Utilized by all types of financial institutions, the ACH Network is governed by the NACHA Operating Rules, a set of fair and equitable rules that guide risk management and create certainty for all participants. As a not-for-profit association, NACHA represents nearly 11,000 financial institutions via 17 regional payments associations and direct membership. Through its industry councils and forums, NACHA brings together payments system stakeholders to enable innovation that strengthens the industry with creative payment solutions.
The NACHA Operating Rules provide the legal foundation for the exchange of ACH payments and ensure that the ACH Network remains efficient, reliable, and secure for the benefit of all participants. In its role as Network administrator, NACHA manages the rulemaking process and ensures that proposed ACH applications are consistent with the Guiding Principles of the ACH Network. The rulemaking process provides a disciplined, well-defined methodology to propose and develop and propose rules amendments to the NACHA voting membership, the decision makers for the NACHA Operating Rules.
Looks legit, right?
A closer examination of the message reveals a few oddities, though.
The most important one is that there’s a “.doc” word file link that is supposed to have the details of the transaction, but examining the link — rather than clicking on it! — reveals that it’s actually a link to a shortened URL from a “.ie” domain: http://url.ie/dhvfxf
Any time you see a shortened URL of this nature you should run away. That would never be part of a legitimate message from any sort of financial institution, not to mention that it should also be a secure “https” link anyway.
To their credit, url.ie caught this particular problem too and clicking on the shortened URL produces the error “This link (URL) has been blocked for violating our Terms of Service.”
The second oddity is the sender’s email address:
That’s clearly impossible. There are no legit NACHA messages originating from a K-12 school in Wisconsin!
Add these two up, sprinkle in a bit of common sense, and it’s clearly a scam and is best deleted immediately.
As always, be careful out there.
Please be aware this most likely a scam. I received the email as well. After opening the email and attachment in a linux virtual machine (a quarantined environment) I discovered the word document is embedded with macros (macros are pieces of code that make the word document behave like a piece of software not like just a document anymore) these are very likely viruses and malicious macros (or code). Please beware and do not open the word document!
I just got the following email from the same K-12 school in WI. Checked their staff roster and did not find the email address that this email was sent from. Must be the same scamers from the bank transfer group but now they have a new scam, “credit scores have decreased”…
The K-12 is a real school but not the email address (which I loved – makeshifteuw40 ). The via is also real, but is a high tec bio company in France…
My spam filter dumped this but I had to dig it out because of the “makeshift” email address…
See email below:
Your TransUnion, Equifax, and Experian Scores Have Decreased
x
john.jss@xyz.xx
x
Credit Report Center makeshifteuw40@luther.k12.wi.us via eurobiobiz.com
1:48 PM (2 hours ago)
to john.jss
Why is this message in Spam? It’s similar to messages that were detected by our spam filters. Learn more
Your credit score apparently changed!
ID: #K5DWN-FH4GM52L
– Go here to see probable changes
– Go here to see latest updates to your credit score as of December 18th, 2012
Review your score immediately!
I, too, have been getting those for quite some time. Lately, I sometimes get a dozen or more a day which make it through my spam filters. (I haven’t checked the spam filters to see how many get caught.)
Note that, sometimes, they come from “more legitimate” sounding addresses, such as with a “nacha.org” or “eftps.gov” domain name.
However, even more telling than the URL-shortener is the fact that the attachment is (supposedly) an MS-Word document. I highly doubt that any legitimate service would send anything in such a format, and instead use something like PDF. (Actually, I would expect that they would tell you to log in to your account and check the information there.)
Other times, they include a .zip archive of a supposed PDF file. However, the .zip file actually includes a Windows executable instead.