An official website of the United States government
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

Home : Media : Newsroom : News

News Stories

Official statements, announcements, press releases, speeches, transcripts and media hub, including media FAQs and official media query form. 

NEWS | June 9, 2025

Glitch-Enabled Phishing Campaign Targets Navy Federal Credit Union and 830 Organizations

Between January and April 2025, cybercriminals used the Glitch platform to create sophisticated phishing pages, targeting over 830 organizations to include the Navy Federal Credit Union (NFCU) and its members. The cybercriminals’ goal is to steal sensitive data, including email login credentials, credit card numbers, and banking details. This phishing campaign is notable for its use of Telegram to facilitate both data exfiltration and the circumvention of multi-factor authentication (MFA). Telegram functions to transmit stolen account information to the cybercriminals in real time. This direct and immediate channel enables cybercriminals to promptly exploit captured one-time passwords (OTPs) to gain unauthorized access to victim accounts, effectively undermining the security provided by MFA mechanisms. Stolen login credentials could potentially allow cybercriminals unauthorized access and perform fraudulent banking transactions. In addition, CAPTCHA, a bot prevention tool, is used to harvest credentials and direct targeted individuals to the fraudulent phishing pages. These tactics highlight the evolving sophistication of phishing attacks, underscoring the need for individuals to maintain heightened vigilance and awareness.

Recommendations for Navy Federal Credit Union Customers
To protect yourself from phishing attempts, consider the following best practices:

1.Be Skeptical of Unexpected Emails: Do not trust emails that create urgency (e.g., "Your account will be locked in 24 hours"). If you’re not expecting an email from your bank, treat it with suspicion.

2.Verify the Sender’s Email Address: Examine the sender’s email carefully—phishing emails often mimic official addresses but are subtly different (e.g., support@MFCU.com instead of the correct domain).

3.Avoid Clicking on Links: Do not click on links or download attachments from suspicious emails. Instead, manually type your bank’s official website into your browser or use the official mobile app.

4.Do Not Enter Sensitive Information: Never share passwords, PINs, Social Security numbers, or account details via email. Legitimate banks will never request this kind of information through email.

5.Look for Red Flags: Watch out for spelling/grammar mistakes, generic greetings (e.g., “Dear Customer”), poor formatting, or low-resolution logos—all common signs of phishing attempts.


Phishing website details


Search News
Archive
Topics
COVID-19     COVID Archive     archive     travel guidance     quarantine     USFK     PHE     Indo-Pacific     we go together