Cos I don’t wanna be the one
Yeah, I don’t wanna be the one
Making all the noise
Yeah, I don’t wanna be the one
From Be The One by The Ting Tings
In the last post the topic of safe web browsing was discussed as an attempt to update earlier advice from circa 2008. So that should keep you safe on the internet. Right? Sorry. Unfortunately, browsing the web is only half the story. The other, and arguably more dangerous half, is the part where you are automatically directed to web sites by emails, SMS texts, QR codes and nowadays NFC tags. Most of the time these automated links are desirable and very convenient like when you want to find out about a new product or go directly to your bank site to check on your accounts. But what happens when the originator of these convenience links is a malicious impostor? In other words the email, SMS, QR code or NFC tag is a phishing attack. This can be especially serious when the phisher is pretending to be your bank. Because the payoff is potentially large, these fake requests from your bank can look pretty convincing. This post from Rob Waugh at the WeLiveSecurity blog puts it this way.
Technologies change, but cybercriminals will always dream up new ways to fool you into handing over your bank details – whether via phishing emails, SMS or by phone.
These days cybercriminals will use phone calls, SMS messages, emails – and even couriers – in an effort to get your money. Many of these attacks can seem very convincing – at least at first.
To mash up P.T. Barnum, who is often credited with saying “There’s a sucker born every minute” and The Matrix, “You are the One, Neo“, [just go with me here] how do you avoid being the One? The key is to recognize stuff your bank will never do. Again from the WeLiveSecurity post:
The key to staying safe is to recognize behavior that isn’t quite “right”. Here are ten things a bank will never do – but a fraudster, phisher, or thief will.
Text you asking for details to “confirm” it’s you
Your bank may well text you – for instance to confirm a transaction on PC – but bank texts will not, ever, ask you to confirm details, or for passwords in a text. Banks also won’t update their apps in this way. If you’re suspicous, don’t click links, don’t call any numbers in the text. Instead, call your bank on its “normal” number.
Give you a deadline of 24 hours before your bank account erases itself
Many legitimate messages from your bank will be marked “urgent” – particularly those related to suspected fraud – but any message with a deadline should be treated with extreme suspicion. Cybercriminals have to work fast – their websites may be flagged, blocked or closed down rapidly – and need you to click without thinking. Banks just want you to get in touch – they won’t usually set a deadline.
Send you a link with a “new version” of your banking app
Your bank will not distribute apps in this way – instead, download from official app stores, and ensure yours is up to date.
Use shortened URLs in an email
Cybercriminals use a variety of tricks to make a malicious web page appear more “real” in an email that’s supposedly from your bank – one of the most basic is URL-shortening services.
Send a courier to pick up your “faulty” bank card
The courier scam is a new one – your phone rings, it’s your bank, and they need to replace a faulty bank card. One of the new services they offer is courier replacement – and the bank tells you that a courier will arrive shortly to collect the faulty card. A courier turns up, asks for your PIN as “confirmation” – and your money magically vanishes.
Call your landline and “prove” it’s the bank by asking you to call back
A common new scam is a phone call from either “the police” or “your bank”, saying that fraudulent transactions have been detected on your card. The criminals will then “prove” their identity by “hanging up” and asking you to dial the real bank number – but they’ve actually just played a dial tone, and when you dial in, you’re talking to the same gang, who will then ask for credit card details and passwords.
Email you at a new address without warning
If your bank suddenly contacts you on your work address or any other address than the one they usually use, this is [not right]. Banks will not add new email addresses [for you on their own].
Use an unsecured web page
If you’re on a “real” online banking page, it should display a symbol in your browser’s address bar to show it’s secure, such as a locked padlock or unbroken key symbol. If that symbol’s missing, be very, very wary.
Address you as “Dear customer” or dear “email@example.com”
Banks will usually address you with your name and title – ie Mr Smith, and often add another layer of security such as quoting the last four digits of your account number, to reassure you it’s a real email, and not phish. Any emails addressed to “Dear customer” or “Dear [email address]” are instantly suspicious – often automated spam sent out in vast quantities to snare the unwary.
Send a personal message with a blank address field
If you receive a personal message from your bank, it should be addressed to you – not just in the message, but in the email header. Check that it’s addressed to your email address – if it’s blank, or addressed to “Customer List” or similar, be suspicious.
Email you asking for your mother’s maiden name
When banks get in touch – for instance in a case of suspected fraud – they may ask for a password, or a secret number. What they won’t do is ask for a whole lot more information “to be on the safe side”. If you see a form asking for a large amount of information, close the link and phone your bank.
Remember this, grasshopper: your bank already has your money so they aren’t that interested in spending any of theirs on unexpected communication with you – particularly something like courier services. The bad guys, on the other hand want your money and are willing to invest a little and try phishing thousands or millions of potential suckers hoping to find the One big payday. Your mission, should you decide to accept it, is to not be the One.
Note to self: Ease up on old TV and get out more.