What could have been a large-scale fraud ended up being relatively minor - a suspect was arrested within days, and the attack on Notre Dame Federal Credit Union appears to have caused only minimal damage.
Still, the scam should give the University, NDFCU and its members pause.
NDFCU should better clarify the warning messages it posts on the Web site, spelling out precisely what it cannot - and will not - ask of members. That information also should be housed permanently on a prominent portion of the Web site as reference for members in the event of future scams.
NDFCU also needs to have at least some workers on duty during holiday weekends. The scam began Friday, but few answers were available to affected members until Tuesday because of the extended weekend. A bank relies on the trust of its members, and displaying quick response to fraud is essential to maintaining that trust.
The University also has questions to answer. First, is there something wrong with the address recognition software for Webmail? It was essentially impossible for users to determine that the fraudulent e-mails did not originate from alert@ndfcu.org, as they claimed.
Second, what is the future of Notre Dame's online directory? It appears that the e-mails students received were sent to their preferred addresses as listed on the directory. And some students who do not have NDFCU accounts received the e-mail, asking for NDFCU account information. These signs point to the scammer's use of the directory in his plan. Whether that requires the University to alter its policies in regard to the directory - specifically, requiring a Notre Dame, Saint Mary's or Holy Cross login before viewing contact information - is a discussion the Office of Information Technologies should initiate with students immediately.
Coming to a thought-out decision on the topic, with clearly delineated reasons, and keeping the process open would go a long way in convincing students they are protected as best as possible.
