There is No Solution for Banking/Finance Frauds in Pakistan: NTISB

Admitting a massive increase in banking/financial frauds, the National Telecommunication and Information Security Board (NTISB) has warned that there is no technical solution that can eradicate and detect social engineering.

The Board has issued an advisory ‘surge in financial/banking scams & prevention’ while saying that recently, a massive increase in banking/financial frauds has been witnessed using phishing and vishing techniques, mainly due to a lack of cybersecurity awareness at users’ end.

Clients of the banking sector are continuously falling prey to social engineering tactics and malicious applications that look legitimate. Accordingly, malicious actors deceitfully withdraw money from users’ accounts.

Regarding the modus operandi, the Board has warned that financial scammers make use of several attack vectors to exploit victim’s bank accounts. These include;

1. Anonymity –the attackers use secure and anonymous cyber means to conduct the operation. Due to this, backtracking is a difficult task
2. Social engineering–malicious actors masquerade phone numbers or call from an unknown mobile phone/compromised WhatsApp number and mask banking official number to the victim acting as a bank employee/manager and ask for personally identifiable information (Pll) like internet banking username, CNIC number, Debit Card Number and Debit Card PIN. After that, the malicious actor tactfully enquires the user whether he/she has received a One-Time Password (OTP) from the bank and asks the user to forward it to the caller directly or by clicking on a WhatsApp link. With this information, malicious actors can easily compromise any bank account and transfer money to a potential account/shop online
3. Malicious applications –the victim receives an SMS containing a link to a phishing website (similar to the banking website or Income Tax Department) where the user is asked to enter personal information and download and install a malicious APK file in order to complete the verification process. This malicious App masquerades as the Income Tax Department or Internet Banking app. After installation, the app requires a user to grant necessary permissions like SMS, call logs, contacts, etc. Also, the majority of Apps drop critical logger malware on the victim’s device. The acquired data include full name, username, address, date of birth, mobile number, email address, and financial details like account number, debit card number, and PIN

NTISB has recommended several measures to avoid such attacks. There is no technical solution that can eradicate and detect social engineering; however, safe usage of mobile/computers and compliance with security guidelines is the only way forward. Cyber awareness campaigns regarding financial scams should be arranged at different forums.

In addition, the following protective measures are recommended:

1. Scammers are equipped with the latest technology for masking the official numbers of banks, users are advised to remain vigilant and call the banking helpline themselves, immediately to verify any suspicious call
2. Never provide sensitive information over the phone to anyone, especially passwords, CNIC numbers, and Debit/Credit Card PINs as banks do not ask for such information over the phone except when the user calls them for activation of a debit card or Internet banking account
3. Always pay attention to suspicious numbers that do not look like real mobile phone numbers. Scammers often mask their identity by using email-to-text services to avoid revealing their actual phone number
4. Beware of false SMS regarding lottery schemes/Benazir Income Support Program prize offers; they are all bogus
5. Genuine SMS messages received from banks usually contain the sender ID (consisting of the bank’s short name) instead of a phone number in the sender information field
6. All clickable links/ SMS to earn money offers are counterfeit; do not fall prey to them
7. Never trust and reply to anonymous emotional SMS as these are all traps
8. Always use multi-factor authentication (MFA) on Internet Banking Apps, WhatsApp, Social Media, and Gmail accounts,
9. Always keep a strong password for email or online accounts and regularly change passwords to prevent hacking
10. Always check application permissions before installation of application and install applications from Google/iPhone Play Store only
11. Before downloading/ installing apps on Android devices, review app details, number of downloads, user reviews, comments, and the “additional information” section
12. Install updated, reputed, and licensed antivirus, anti-malware, and anti-phishing solutions on PC and mobile devices. After installation, scan the suspected device with an antivirus solution to detect and clean infections
13. Only click on URLs that clearly indicate the website domain. In case of any doubt, users can search for the organization’s website directly using search engines such as Google to ensure that the websites are legitimate
14. In case of banking fraud, a user should launch a complaint to the concerned bank through its Helpline
15. In case the concerned bank does not take action against the launched complaint within 45 days, a user may launch a written complaint (dully attested by the oath commissioner) to Banking Muhtasib of Pakistan.