ISLAMABAD: Admitting massive increase in banking/ financial frauds, the National Telecommunication and Information Security Board (NTISB) has warned that there is no technical solution that can eradicate and detect social engineering.
The Board has issued an advisory ‘surge in financial/ banking scams & prevention’ while saying that recently, a massive increase in banking/ financial frauds has been witnessed using phishing and vishing techniques, mainly due to lack of Cyber Security awareness at users’ end.
Clients of banking sector are continuously falling prey to social engineering tactics and malicious applications looking as legitimate. Accordingly, malicious actors deceitfully withdraw money from users’ accounts.
HIAs stepping up hacking attempts by using spoofed messages: NTISB
Regarding the modus operandi, the Board has warned that financial scammers make use of several attack vectors to exploit victim’s bank account. These include; anonymity - the attacker’s use secure and anonymous cyber means to conduct the operation.
Due to which, backtracking is a difficult task, (b) social engineering- malicious actors masquerade phone numbers or call from unknown mobile phone/ compromised WhatsApp number and masked banking official number to the victim acting as a bank employee/ manager and ask for personally identifiable information (Pll) like internet banking username, CNIC number, Debit Card Number and Debit Card PIN.
After that the malicious actor tactfully enquires the user whether he/ she has received One Time Password (OTP) from bank and asks the user to forward it to the caller directly or by clicking on a WhatsApp link.
With this information, malicious actor can easily compromise any bank account and transfer money to potential account/ shop online, (c) malicious applications -the victim receives an SMS containing a link to a phishing website (similar to the banking website or Income Tax Department) where the user is asked to enter personal information, download and install malicious APK file in order to complete verification process.
This malicious App masquerades as the Income Tax Department or Internet Banking app. After installation, the app requires user to grant necessary permissions like SMS, call logs, contacts, etc. Also, majority of Apps drops key logger malware on victim’s device.
The acquired data include full name, username, address, date of birth, mobile number, email address and financial details like account number, debit card number and PIN.
NTISB has recommended several measures to avoid such attacks. There is no technical solution that can eradicate and detect social engineering; however, safe usage of mobile/ computer and compliance with security guidelines is the only way forward. Cyber awareness campaigns regarding financial scams be arranged at different forums.
In addition to it, following protective measures are recommended, (a) scammers are equipped with latest technology for masking official numbers of banks; users are advised to remain vigilant and call banking helpline themselves, immediately to verify any suspicious call; (b) never provide sensitive information over phone to anyone, especially passwords, CNIC number and Debit/ Credit Card PIN as banks do not ask for such information over phone except when user calls them for activation of debit card or internet banking account; (c). Always pay attention to suspicious numbers that do not look like real mobile phone numbers. Scammers often mask their identity by using email-to-text services to avoid revealing their actual phone number; (d) beware of false SMS regarding lottery schemes/ Benazir Income Support Program prize offers, they are all bogus; (e) genuine SMS messages received from banks usually contain sender ID (consisting of bank’s short name) instead of a phone number in sender information field; (f) all clickable links/ SMS to earn money offers are counterfeit; do not fall prey to them; (g) never trust and reply anonymous emotional SMS as these are all traps; (h) always use multi-factor authentication (MFA) on Internet Banking Apps, WhatsApp, Social Media and Gmail accounts; (i) always keep a strong password for email or online account and regularly change passwords to prevent hacking; (j) always check application permissions before installation of application and install applications from Google/iPhone Play Store only; (k) before downloading/ installing apps on Android devices, review app details, number of downloads, user reviews, comments and “additional information” section; (l) install updated, reputed and licensed antivirus, anti-malware and anti-phishing solutions on PC and mobile devices. After installation, scan the suspected device with antivirus solution to detect and clean infections; (m) only click on URLs that clearly indicate the website domain. In case of any doubt, users can search for the organization’s website directly using search engines such as Google to ensure that the websites are legitimate; (n) in case of banking fraud, a user should launch complaint to the concerned bank through its Helpline; (o) in case the concerned bank does not take action against the launched complaint within 45x days, a user may launch a written complaint (dully attested by oath commissioner) to Banking Muhtasib of Pakistan.
Copyright Business Recorder, 2023
Comments
Comments are closed.