What You Should Know About Online Banking Scams
by Reese Kimmons, MS ISA
Banking online has become the norm for many of us and cybercriminals see this as an opportunity.
There are eight attack vectors commonly used by threat actors to steal banking credentials from their targets and gain access to their accounts. Knowing how to recognize the attacks, taking advantage of available security tools, and avoiding mistakes that make it easier for the criminals to succeed will help you protect yourself and your financial resources.
Malicious emails (Phishing)
Cybercriminals send phishing emails to their potential victims attempting to trick them into visiting credential harvesting websites. Attackers often put a great deal of effort into making these emails look authentic.
They appear to come from the target’s bank and, like other social engineering attacks, they often convey a sense of urgency. They frequently indicate that the recipient’s account needs immediate attention.
When email recipients click the link in the message that they believe will take them to their online banking sites, they are taken instead to malicious sites that also appear to be legitimate. There they are prompted to enter data such as their online banking login credentials, debit card information, and PIN numbers. The information then becomes available to the scammers, giving them access to their victims’ accounts.
Spoofed text messages
When you receive multiple text messages from the same sender, your messaging app likely groups them together. This makes it easier for you to find all communications that come from the same source.
Unfortunately, criminals have found a way to take advantage of this. If they can make it appear that their text messages came from your bank’s texting ID number or phone number, known as spoofing, their malicious texts will be grouped by your messaging app with legitimate texts that actually did come from your bank. This adds credibility, making it more likely that you’ll be fooled.
Like phishing emails, these spoofed text messages usually indicate that there is something account-related that requires your immediate attention. They, too, include links to credential harvesting websites.
Threat actors may contact their targets by phone, claiming to be bank representatives and concocting some story to convince them to provide sensitive information. Attackers may also engage in advance fee scams, asking their potential victims to pay a fee in order to receive a much larger amount of money.
Recently, a new scam leveraging instant payment apps has emerged wherein the criminal sends a bogus fraud alert text message to a targeted individual indicating that funds may have been fraudulently transferred out of his or her account.
The message asks the recipient to verify that the transaction was authorized by replying YES or NO. If the target replies, he or she is then contacted by the attacker via phone.
The criminal poses as a bank security official and attempts to trick the potential victim into providing additional information and performing another funds transfer to negate the previous transaction. In fact, the funds are sent to an account controlled by the attacker.
There are many variants of social engineering scams. Most convey a sense of urgency to try and convince victims to act immediately without verifying the information provided by the scammers.
Malware attacks generating fake banking websites
Cybercriminals are using malware to infect their victims’ devices and generate authentic looking banking sites. When the victim attempts to access his or her bank’s website, the malware is triggered and creates its own popup browser window which displays a fake banking login page. If the victim enters credentials, they are transmitted to the attacker.
A keylogger is a piece of malware that collects and transmits to the criminal every keystroke entered on an infected device. In other words, everything you type is sent to the threat actor. This could include your online banking login credentials along with any other sensitive personal data you might enter.
Consider the possible ramifications of a criminal having access to all of that information. Not only could your bank account be compromised, but you could also fall victim to identity theft or perhaps even extortion depending on the type of information obtained.
Using unsecured Wi-Fi
Hackers love to camp out on public, unsecured Wi-Fi networks, monitoring the traffic thereon and stealing what they want. This could include online banking credentials.
They also use these unsecured networks to deliver malware to the connected devices. This malware might include a keylogger. If you connect to unsecured public Wi-Fi networks without using a virtual private network (VPN) app to encrypt all the traffic to and from your device and if you’re not running effective malware protection, you and your data are at high risk.
Attackers will also create their own public Wi-Fi sites that are designed to appear to be the legitimate sites of places you visit. They could be disguised to look like the site offered by your favorite coffee shop or a hotel where you’re staying. These sites are created for nefarious purposes like delivering malware or stealing sensitive information.
A Domain Name System (DNS) provides the service that matches website names with their IP addresses. This allows you to visit sites by entering the site name rather than having to remember and type in a series of numbers.
When you visit a website, the DNS information is temporarily stored in your device’s cache. If you type in that same website’s URL to visit again, your browser will first check the cached DNS information to see if the site’s IP address is stored there. If it is, the browser will used the cached IP address to take you back to the site.
DNS poisoning attacks usually happen as a result of a visit to a malicious website. Malware hiding there will replace a valid IP address stored in your cache with the IP address of a site controlled by a cybercriminal. DNS cache poisoning can be used to divert victims to fake banking websites designed to steal their information.
Prior data breaches
Unfortunately, you have no control over how your bank or other sites store and secure your sensitive information and it seems that the news reports a new, major data breach almost every day.
If your sensitive personal data is exposed in a breach, it could end up being used to facilitate the commission of a number of cyber crimes. These could include gaining access to your bank account or possibly even full-blown identity theft.
If you use the same password for multiple online accounts including your bank, the exposure of that password in a data breach could provide access to your financial accounts even if your bank wasn’t the target of the breach.
Recognizing the signs of an attack
If you receive a text message or email supposedly from your bank that does not include your name, possibly addressing you as “dear customer,” be suspicious. Banks tend to purposely include some of your personal information in written communications with you as a security measure to let you know that they know who you are.
Your bank is not going to ask you to provide things like your account login credentials or PIN number in a text or email. Scammers will, however, ask you for whatever they hope they can get, including your username, password, answers to security questions, and more. They may claim they need this to verify your identity when, in fact, they intend to use it to access your funds.
When cybercriminals use social engineering tactics to try and convince you to provide information, they often attempt to create a sense of urgency. They may, for example, insist that you immediately provide the sensitive information they’re requesting or they will be unable to stop an unauthorized transfer of funds from your account.
Beware of email attachments and instructions directing you to download files. The attachments and files may actually be malware. In some attacks, bad actors attempt to convince email recipients to open malicious attachments by claiming they are statements or invoices.
Your bank likely would never do this. Instead, you may receive a message recommending that you log into your account as you normally would to view such documents.
If you receive a text or email purportedly from your bank that includes a link with instructions to click it and take some sort of action, be careful. It’s usually a bad idea to click a link in an unsolicited, unexpected email or text. You may want to hover over the link to display the underlying URL. Doing so could reveal that the link will take you somewhere other than your bank’s website.
Even if the link looks legitimate, it would be a better idea to call your bank at a number you know to be valid and discuss the message with them to find out whether or not it’s authentic.
Check the From address in emails you receive that appear to be from your bank. Expand the header in the message to view the sender’s actual address. If you don’t know how to do this, simply search online for instructions for your particular email app.
The email address in the expanded header may not match the one that appears in the From field. If it looks as though it could be an address belonging to your bank, examine it more closely and check for subtle differences like a hyphen or period that shouldn’t be there or a slight difference in spelling.
Again, if you’re at all unsure about the authenticity of a message, call your bank for verification using a number you know to be correct, not one included in the suspicious message.
If you do find yourself on a suspicious website, you can check for security certificate information. A locked padlock icon in the upper left corner of the browser window next to the site URL indicates that the site is most likely secure. Click on the padlock to display the site owner’s identity and security information.
The vast majority of malicious sites will not have valid security certificates.
Ways you can avoid becoming a victim of online banking theft
First, whenever you’re using an unsecured Wi-Fi network or you’re entering sensitive information like banking credentials even when you’re on a secure network, you should also be using a virtual private network (VPN) application to encrypt and protect your data.
VPNs are very affordable and the security they provide is well worth the small price. For more information and our recommendations regarding VPNs, see our VPN reviews.
Take advantage of two-factor authentication (2FA) wherever it is available. Your bank should be offering this security tool to its online customers. Using 2FA adds an extra login step, typically in the form of a one-time PIN sent to your phone. Even if a criminal manages to steal your username and password, he will be unable to log into your account without that extra authentication factor.
Use different passwords for every one of your accounts, whether they’re banking accounts or not. If you believe you have too many accounts for this to be a practical option, consider using a password manager. These apps create and securely store unique, complex passwords for each of your accounts. Quality password managers will verify the authenticity of the sites you visit before your credentials are entered and, if a site is legitimate, will enter your password for you.
Consider using a secure browser like Brave. Brave is a free, privacy-based browser that blocks tracking cookies and will warn you if you attempt to visit an unsafe site. Brave includes the privacy-based DuckDuckGo search engine that also comes with built-in security safeguards and does not track your online activities.
Make sure you are running antivirus/anti-malware protection on all of your devices that you use online. These applications should be set to update and to scan for and mitigate threats automatically so that you don’t have to remember to do those things. Since attackers often use malware to steal credentials, an effective antivirus application is an essential tool.
And finally, remember that, if you encounter anything suspicious relating to your bank account, contact your bank’s security personnel using a phone number you know to be authentic, not one provided in a questionable text or email message. If it turns out to be a scam, your bank will appreciate being made aware of it and your account will remain secure.
About the Author:
Reese Kimmons is an experienced IT executive with an AAS in Applications Programming, a BS in IT Management and an MS in Information Security and Assurance. During his time in the IT industry, Reese has earned certifications in ethical hacking, forensics investigations, ISO/GIAC, and Cisco networking.