No Technical Solution For Rising Banking/Financial Fraud
The National Telecommunications and Information Security Board (NTISB) has warned that there is no technical solution that can remove and detect social engineering, despite an increase in banking/financial fraud.
The Board has published an advise titled’surge in financial/banking scams & prevention,’ stating that there has recently been a major spike in banking/financial frauds employing phishing and vishing techniques, mostly due to a lack of cybersecurity knowledge on the part of customers.
Banking clients are constantly falling victim to social engineering tactics and malware programs that appear authentic. As a result, bad actors steal money from users’ accounts.
The Board has warned that financial scammers utilize a variety of attack vectors to get access to victims’ bank accounts. These are some examples:
Anonymity – The attackers undertake the operation via secure and anonymous cyber techniques. As a result, retracing is a challenging task.
Attackers use masquerade phone numbers or call from an unknown mobile phone/compromised WhatsApp number to the victim posing as a bank employee/manager and requesting personally identifiable information (Pll) such as internet banking username, CNIC number, Debit Card Number, and Debit Card PIN. Following that, the malicious actor politely inquires whether the user has gotten a One-Time Password (OTP) from the bank and requests that the user forward it to the caller directly or by clicking on a WhatsApp link. Malicious actors can simply hack any bank account and move money to a possible account/shop online using this information.
Malicious applications — The victim receives an SMS with a link to a phishing website (similar to a banking website or the Income Tax Department) where the user is asked to submit personal information and download and install a malicious APK file to complete the verification procedure. This rogue program poses as the Income Tax Department or an Internet Banking application. After installation, the program prompts the user to allow relevant rights such as SMS, call records, contacts, and so on. Furthermore, the vast majority of Apps install vital logger malware on the victim’s device. Full name, username, address, date of birth, mobile number, email address, and financial information such as account number, debit card number, and PIN are among the information obtained.
To avoid such attacks, the NTISB has advised numerous actions. There is no technical solution that can eliminate or detect social engineering; instead, careful mobile/computer usage and adherence to security rules are the only options. Cyber awareness programs on financial scams should be organized in various forums.
Furthermore, the following precautions are advised:
- Scammers employ cutting-edge technology to conceal authentic bank phone numbers, so consumers should be cautious and call the banking helpline directly to verify any odd calls.
- Never give anyone sensitive information over the phone, especially passwords, CNIC numbers, and Debit/Credit Card PINs, because banks never ask for such information over the phone unless the user phones to activate a debit card or Internet banking account.
- Always be wary of numbers that do not appear to be authentic mobile phone numbers. Scammers frequently use email-to-text services to conceal their identity and avoid giving their genuine phone number.
- Be wary of fake SMS messages promoting lottery programs or Benazir Income Support Program reward offers.
- In the sender information section of genuine SMS messages received from banks, the sender ID (consisting of the bank’s short name) is frequently used instead of a phone number.
- All clickable links/ SMS to get money offers are bogus; do not fall for them.
- Never trust or respond to anonymous emotional SMS messages since they are always traps.
- On Internet Banking Apps, WhatsApp, Social Media, and Gmail accounts, always utilize multi-factor authentication (MFA).
- To prevent hacking, always use a strong password for email or online accounts and change passwords on a regular basis.
- Always check application permissions before installing an app, and only install apps from the Google/iPhone Play Store.
- Review the app details, number of downloads, user reviews, comments, and the “additional information” section before downloading/installing apps on Android devices.
- Install antivirus, anti-malware, and anti-phishing software that is up to date, reputable, and licensed on your PC and mobile devices. After installation, use an antivirus solution to detect and clear infections on the suspected device.
- Only click on URLs that clearly display the domain of the website. If customers have any doubts, they can immediately look for the organization’s website using search engines such as Google to ensure that the websites are real.
- In the event of banking fraud, a user should file a complaint with the relevant bank via its Helpline.
- If the relevant bank fails to act on the launched complaint after 45 days, the user may file a written complaint (duly signed by the oath commissioner) with the Banking Muhtasib of Pakistan.