The government has issued yet another ‘Cyber Security Advisory – Prevention Against Financial Scam’ while saying that a substantial rise in banking/financial scams has been observed using phishing, smashing, and vishing techniques.
According to the advisory a copy of which is available the scammers introduce themselves as Government Officials (FIA, SBP, and Defence Force using fake official landline numbers and logos on WhatsApp DP) through call-cloning services.
Resultantly, online banking users continuously fall prey primarily due to a lack of cyber security awareness, as well as advanced social engineering tactics used by scammers (call cloning, malicious apps, and fake websites). As a result, malicious actors deceitfully withdraw money from user’s accounts
Scammers Working Model
Financial scammers make use of the following attack vectors to exploit victim’s bank account:
- Fake Websites – Reference of Army Poverty Alleviation Campaign. Scammers are using spoofed websites appearing to be the State Bank of Pakistan’s legitimate verification websites and asking victims to upload personal financial details on the website in reference to the Pakistan Army Poverty Alleviation and Revival of Economy Campaign. The fake website of the State Bank of Pakistan for verification is (www.statebankverificaiton.wixsite.com)
- Social Engineering. Malicious actors masquerade phone numbers or call from an unknown mobile phone/compromised WhatsApp number, masked banking official numbers to the victim acting as a bank employee/manager and ask for personally identifiable information (PII) like internet banking username, CNIC number, debit card number and debit card pin.
After that, the malicious actor tactfully enquires the victim whether he/she has received a One Time Password (OTP) from the bank and asks the user to forward it to the caller directly or by clicking on a WhatsApp link. Armed with this information, malicious actors can easily compromise any bank account and transfer money to the potential account or perform online shopping.
- Anonymity. The attackers use secure and anonymous cyber means to conduct the operation. Due to this, backtracking is a difficult task.
- Phishing is the fraudulent practice of sending emails or other messages purporting to be from reputable companies in order to induce individuals to reveal personal information.
- Smishing is the fraudulent practice of sending text messages purporting to be from reputable companies in order to induce individuals to reveal personal information.
- Vishing is the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information.
There is no technical solution that can eradicate and detect social engineering completely; however, safe usage of mobile/computers and compliance with security guidelines is the only way forward.
Above in view, cyber awareness campaigns regarding financial scams be arranged at different forums. In addition to it, the following protective measures are recommended:
- Blocking of the fake website appearing to state bank verification website (www.statebankverificaiton.wixsite.com)
- Scammers are equipped with the latest technology for masking official numbers of banks. Users are advised to remain vigilant and call the banking helpline themselves, immediately to verify any suspicious call.
- Never provide sensitive information over the phone to anyone, especially passwords. CNIC number and Debit/Credit Card PIN as banks do not ask for such information over the phone except when the user calls them for activation of the debit card or internet banking account.
- Always pay attention to suspicious numbers that do not look like real mobile phone numbers. Scammers often mask their identity by using email-to-text services to avoid revealing their actual phone numbers.
- Be aware of false SMS regarding lottery schemes/Benazir Income Support Program prize offers; they are all bogus.
- Genuine SMS messages received from banks usually contain the sender ID (consisting of the bank’s short name) instead of a phone number in the sender information field.
- All clickable links/SMS to earn money offers are counterfeit; do not fall prey to them.
- Never trust and reply to anonymous emotional SMS as these are all traps.
- Always use multi-factor authentication (MFA) on Internet Banking Apps, WhatsApp, Social Media and Gmail accounts.
- Always keep a strong password for email or online accounts and regularly change passwords to prevent hacking.
- Always check application permissions before installation of the application and install applications from Google/iPhone Play Store only.
- Before downloading/installing apps on Android devices, review app details, number of downloads, user reviews, comments, and “additional information” section.
- Install updated, reputed, and licensed antivirus, anti-malware, and anti-phishing solutions on PC and mobile devices. After installation, scan the suspected device with an antivirus solution to detect and clean infections.
- Only click on URLs that clearly indicate the website domain. In case of any doubt, users can search for the organization’s website directly using search engines such as Google, to ensure that the websites are legitimate.
- In case of banking fraud, a user should launch a complaint to the concerned bank through its Helpline.