The government has released yet another ‘Cyber Security Advisory – Prevention Against Financial Scam,’ stating that there has been a significant increase in banking/financial scamming using phishing, smashing, and vishing techniques.
According to the alert, a copy of which is accessible, scammers use call-cloning services to pose as government officials (FIA, SBP, and Defence Force utilizing phony official landline numbers and logos on WhatsApp DP).
As a result, due to a lack of cyber security awareness, as well as improved social engineering strategies used for scamming (call cloning, malicious apps, and bogus websites), online banking consumers continue to fall victim. As a result, bad actors steal money from users’ accounts.
Scamming Working Model
Financial scammers utilize the following attack vectors to gain access to a victim’s bank account:
- Fake Websites – Reference of Army Poverty Alleviation Campaign. Scammers are using spoofed websites appearing to be the State Bank of Pakistan’s legitimate verification websites and asking victims to upload personal financial details on the website in reference to the Pakistan Army Poverty Alleviation and Revival of Economy Campaign. The fake website of the State Bank of Pakistan for verification is (www.statebankverificaiton.wixsite.com)
- Social Engineering. Malicious actors masquerade phone numbers or call from an unknown mobile phone/compromised WhatsApp number, masked banking official numbers to the victim acting as a bank employee/manager and ask for personally identifiable information (PII) like internet banking username, CNIC number, debit card number and debit card pin.
After that, the scamming actor tactfully enquires the victim whether he/she has received a One Time Password (OTP) from the bank and asks the user to forward it to the caller directly or by clicking on a WhatsApp link. Armed with this information, malicious actors can easily compromise any bank account and transfer money to the potential account or perform online shopping.
- Anonymity. The attackers use secure and anonymous cyber means to conduct the operation. Due to this, backtracking is a difficult task.
- Phishing is the fraudulent practice of sending emails or other messages purporting to be from reputable companies in order to induce individuals to reveal personal information.
- Smishing is the fraudulent practice of sending text messages purporting to be from reputable companies in order to induce individuals to reveal personal information.
- Vishing is the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information.
Suggestions
There is no technological solution that can totally eliminate and detect social engineering; however, safe mobile/computer use and adherence to security rules is the only way ahead.
Above, many forums will host cyber awareness campaigns on financial scams. In addition, the following precautionary actions are advised:
- Blocking of the fake website appearing to state bank verification website (www.statebankverificaiton.wixsite.com)
- Scammers are equipped with the latest technology for masking official numbers of banks. Users are advised to remain vigilant and call the banking helpline themselves, immediately to verify any suspicious call.
- Never provide sensitive information over the phone to anyone, especially passwords. CNIC number and Debit/Credit Card PIN as banks do not ask for such information over the phone except when the user calls them for activation of the debit card or internet banking account.
- Always pay attention to suspicious numbers that do not look like real mobile phone numbers. Scamming actors often mask their identity by using email-to-text services to avoid revealing their actual phone numbers.
- Be aware of false SMS regarding lottery schemes/Benazir Income Support Program prize offers; they are all bogus.
- Genuine SMS messages received from banks usually contain the sender ID (consisting of the bank’s short name) instead of a phone number in the sender information field.
- All clickable links/SMS to earn money offers are counterfeit; do not fall prey to them.
- Never trust and reply to anonymous emotional SMS as these are all traps.
- Always use multi-factor authentication (MFA) on Internet Banking Apps, WhatsApp, Social Media and Gmail accounts.
- Always keep a strong password for email or online accounts and regularly change passwords to prevent hacking.
- Always check application permissions before installation of the application and install applications from Google/iPhone Play Store only.
- Before downloading/installing apps on Android devices, review app details, number of downloads, user reviews, comments, and “additional information” section.
- Install updated, reputed, and licensed antivirus, anti-malware, and anti-phishing solutions on PC and mobile devices. After installation, scan the suspected device with an antivirus solution to detect and clean infections.
- Only click on URLs that clearly indicate the website domain. In case of any doubt, users can search for the organization’s website directly using search engines such as Google, to ensure that the websites are legitimate.
- In case of banking fraud, a user should launch a complaint to the concerned bank through its Helpline.
To read our blog on “Gang operating fake UK Visa scam is busted by the FIA,” click here.