Cyber criminals are always a step ahead of the game
If you’re a customer of one of South Africa’s “big four” banks then you’re a perfect target for a growing band of brazen criminals. Computer fraudsters are using the Internet to launch unprecedented attacks on consumers’ bank accounts. They operate in the virtual world, with no boundaries, no physical addresses and absolutely no conscience. And they never get caught! I recently voiced my concerns to a senior staff employee at one of the bank computer fraud divisions. Since our chat I’ve been even more careful about how I conduct my banking online.
He told me the Internet made it possible for criminals to go on fishing expeditions for personal information – the common term for this type of fraud is ‘phishing’ – with virtually no fear of being caught. What is phishing? Online information hub wikipedia.org provides a perfect definition: “phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords, credit card details and bank account details by masquerading as a trustworthy entity in an electronic communication.”
How phishing works
The advent of the Internet means everyone has access to one or more bank accounts and credit card accounts online. All you have to do to enjoy the processing capability previously reserved for the bank teller is to log in using your username and password… Once you’ve logged in you can pay accounts, transfer money between accounts, add beneficiaries etc. Imagine what would happen if your user name and password gets into the wrong hands.
The same technology that makes our banking experience a pleasure is being harnessed by cyber criminals to make quick and easy money. They soon realised that bank customers were easily conned out of personal information. Their typical modus operandi is to secure lists with millions of email addresses, then send emails to each of these email addresses purporting to contain instructions from the customers’ bank. Let’s say the send 10-million emails from Happy Valley Bank. They don’t care if only 10 000 of those 10-million recipients actually bank with Happy Valley – and they don’t care if only 10 of the 10 000 respond to the email… Because 10 out of 10-million is good odds for them!
Now here’s where it gets really smart. They know to get a customer ‘hook, line and sinker’ they need to look and feel like the customers bank. So they typically include a link in their email which – you guessed it – takes the unsuspecting user to a website that looks and feels exactly like his or her bank… I’ve checked out one or two of these links and it’s truly frightening how accurate they are. The unfortunate customer who lands up on this website is asked to part with usernames and passwords. The cyber criminal uses this information to log into the victims’ bank account – often in real time! They’ve even worked out clever ruses to get around the SMS authentication system used by many of our local banks.
An example of a phishing email
Early phishing attacks were easy to spot. The perpetrators often used poor language, and the ‘false’ websites were very amateurish. But things have changed since then. Here’s an example that landed in my inbox last week, you can simply substitute Bank X with your bank:
Dear BANK X Customer,
BANK X has introduced a new online banking feature to prevent its customers from being vulnerable to online phishers. We have sent you this message because we noticed some invalid login attempts into your online bank account and have therefore limited its ability to send money. Please click below to the BANK X Secure Website and follow the steps required to remove this limitation.
CLICK HERE
Bank X will not be responsible for loss of funds to online Phishers as a result of failure to follow this directive.
The cheek of it! These phishers are playing on the customers’ fear of phishers to con them into parting with their details. Apart from the fact your bank will never ask you to log in to the banking website, the best way to know about the scam is to hover you mouse cursor over the CLICK HERE link. In this case I could immediately see the website I was going to visit had nothing to do with my bank. It was going to take me to: http://g##gint.com/bank.secure-BankX/ibank-secure/secure.net/BankX.jsp.php
Phishers hardly ever get caught
These cyber-criminals are very difficult to track down. They exist in the virtual world and typically hack into dozens of different computer networks to launch their criminal attacks and cover their tracks at the same time. On the odd occasion investigators BREAK successfully track the machine or network the attack was launched from, the perpetrators are nowhere to be found. Banks typically handle this type of attack by blocking the website concerned… If you fall victim to such a scam you should immediately contact your bank to minimise your loss.
Follow these rules and you should never fall victim a phishing scam:
1. Never give your personal details to anyone unless you are 100% sure who they are.
2. Never engage in conversation with someone who has sent you an unsolicited email.
3. Never provide your personal details – especially your bank PIN number or password – to anyone.
4. Never log in to your bank account by following a link in an email. ALWAYS type the bank’s website address yourself.
5. If you receive a suspicious email, or suspect your account has been compromised, report it to your bank:
Standard Bank: phishing@standardbank.##.za – or telephone 0800 02 600
Absa Bank: absa@absa.##.za – or telephone 08600 08600
First National Bank: risk.online@fnb.##.za – or telephone 011 632 2226
Editor’s thoughts: I get roughly three of these phishing emails each week. Mostly I ignore them – because I don’t bank with the bank they’re talking about… But every now and then I actually do a ‘double take’ – amazed at the skills of these con artists. Have you been the victim of a phishing scam – and was your bank sympathetic to your plight? Add your comment below, or send it to gareth@fanews.co.za
Comments