Millions of people happily use the Internet as an everyday part of their lives and this extends into using online banking to make management of their finances easier. Most people are aware, however, that there is a darker side to the Internet and an aspect of this is the efforts by criminal gangs to defraud online banking users of their hard-earned money. Thankfully, phishing attacks are often easily spotted but it certainly pays to be vigilant when dealing with emails that purport to be from your bank.
A basic description of phishing
Phishing refers to scams that attempt to trick consumers into revealing personal information, such as bank account numbers, passwords, payment card numbers, or Social Security numbers. These scams can be done by phone, email, regular mail and even via text message. In addition to seeking bank information, phishers may also try to obtain your ATM PIN or any other bits of data that can help them build a more complete profile from which they can operate in your name. Typically, phishing scams take the form of an email purporting to be from a bank, which advise that urgent action is required on your bank account.
Phishing scams are often unsophisticated
Whilst the idea of phishing scams is scary, in reality they are often quite easy to spot. Firstly, they rely on bulk sending of the same email to large numbers of email addresses and they often don’t hold any personal details other than the email address. This means that when a person receives a phishing email, it is often from a bank that they don’t hold accounts with. This, clearly, is a huge giveaway that the email isn’t genuine. Additionally, the email won’t be personalized, so will have a salutation of “Dear Customer” rather than quoting your name. Phishing emails also often contain very basic spelling and grammatical mistakes and branding that is totally inconsistent with what you are used to seeing with your genuine bank.
How does phishing work?
It’s becoming increasingly common for people to use mobile banking as well as online banking, so it’s not surprising that fraudsters have also begun to use text messages to target potential victims. When the scam message is sent by text rather than by email, it is referred to as a smishing scam. As with phishing attacks, the recommended policy is to delete anything that you consider to be suspicious and be particularly careful not to click on attached links in case it leads to a trojan being triggered.
Phishing emails and websites typically use familiar logos and graphics to deceive consumers into thinking the sender or website owner is a government agency, bank, retailer or other company they know or do business with. Sophisticated phishers may include misleading details, such as using the company CEO’s name in the email “from” field. Another common phishing tactic is to make a link in an email (and the fake website where it leads) appear legitimate by subtly misspelling URLs or changing the “.com” to “.biz” or another easily overlooked substitution.
Some phishing scams even lure victims by telling them that their information has already been jeopardized. For example, potential victims may receive an email that appears to come from a major bank warning that their account has recently been exposed to fraudulent activity. Users are asked to click a link within the message so they can “confirm” their bank account information. Instead of going to the bank’s legitimate website, however, victims are taken to a clever lookalike, where their information actually is routed to the scammer.
Protection against phishing attacks
Banks work hard to reduce losses from fraud. In relation to online banking and mobile banking, they employ PIN and password security measures that prevent fraudsters from hacking into people’s bank accounts. However, those defenses are compromised if a fraudster is able to trick someone into giving away their confidential credentials. Banks nearly always are at pains to point out that they never contain links in their emails that take users directly to online banking services and they certainly don’t ask people to provide confidential login details over the phone or by unsecured email. If in any doubt about the authenticity of an email or text communication, then ignore it and instead contact your bank through one of its established communication channels. For example, if you are used to visiting the bank’s Web site and accessing online banking from there, then repeat that safe and trusted process rather than trying to access it via a dubious email link.