They call you, send you a text message or an email
Phishing (i.e. via email), smishing (i.e. via sms) and vishing (i.e. via voice call) are the most common social engineering attacks targeting bank customers.
Beware of calls from ‘Microsoft’
This is a new type of phishing scam: scammers call and pretend to be employees of Microsoft. They claim that your computer is infected with viruses or that an update is needed. They ask you to download remote maintenance software and allow remote access to your PC.
What do you risk?
Data theft, identity theft, blackmail, commercial fraud… Scammers will go so far as to ask you to pay for the service performed, with an invoice issued by the company WebTec LLC.
More information on calls from ‘Microsoft’ (in French)
Bank phishing emails
Phishing refers to fraudulent emails that trick the receivers into sharing their personal, financial or security information.
How does it work?
- May look identical to the types of correspondence that real banks send, replicating the logos, layout and tone of real emails;
- Use language that transmits a sense of urgency, for instance implying a penalty if you don’t respond;
- Can ask you to download an attachment or click on a link.
Cybercriminals rely on the fact that people are busy; at a glance, these spoof emails appear to be legitimate. As a result, recipients are more likely to take what is written in them seriously and act upon it.
What can you do?
- Keep your software updated, including your browser, antivirus and operating system.
- Be especially vigilant if the ‘bank’ email requests sensitive information from you (e.g. your online bank account password). A legitimate bank will only communicate with you securely through your online bank account.
- Look at the email closely: check for inconsistencies and anything that doesn’t make sense:
- Look for slight differences in the sender’s address: a zero could look like an “o”.
- “Mouse over” the sender’s address and look carefully at the actual sender: if possible, compare the sender’s email address with previous real messages from your bank.
- Check for bad spelling and grammar mistakes.
- Don’t reply to a suspicious email, instead forward it to your bank by typing in the address yourself.
- Don’t click on the link or download the attachment, instead type in the address in your browser.
- Watch out when using a mobile device. It might be harder to spot a phishing attempt from your phone or tablet. You can’t “mouse over” a questionable link, while the smaller screen makes you less likely to spot obvious mistakes. If it’s a bogus email, report it to your bank – all companies are eager to know about these scams. When in doubt, give your bank a call.
Bank vishing calls
Vishing (a combination of the words voice and phishing) is a phone scam in which fraudsters try to trick the victim into divulging personal, financial or security information or into transferring money to them.
What can you do?
- Beware of unsolicited telephone calls.
- Take the caller’s number and advise them that you will call them back.
- In order to validate their identity, look up the organisation’s phone number (on their website or by running an online search) and contact them directly.
- Don’t validate the caller using the phone number they have given you (this could be a fake or spoofed number).
- Fraudsters can find online basic information about you or your business (e.g. social media profiles). Don’t assume a caller is genuine just because they have such details.
- Don’t share your credit or debit card PIN number or your online banking password. Your bank will never ask for such details.
- Don’t transfer money to another account on their request. Your bank will never ask you to do so.
- If you think it’s a bogus call, report it to your bank.
Bank smishing SMSs
Smishing (a combination of the words SMS and phishing) is the attempt by fraudsters to acquire personal, financial or security information by text message. They act as a trustworthy source, impersonating a bank, card issuer or utility/service provider.
How does it work?
The message will typically ask you (usually with a sense of urgency) to click on a link to a website or call a phone number in order to verify, update or reactivate your account. The website link will lead to a bogus website and the phone number to a fraudster pretending to be from the legitimate company. The goal is to get you to disclose any information that can then help the fraudsters steal your money.
What can you do?
- Don’t click on links, attachments or images that you receive in unsolicited text messages without first verifying the sender. You can do so by searching the number online (if it is a scam, you might not be the first) or comparing it to the official number of the sender it claims to be originating from.
- Don’t be rushed. Take your time and make the appropriate checks.
- Never respond to a text message that requests your PIN, online banking password or any other security credentials.
- If you think you might have responded to a smishing text and provided your bank details, contact your bank immediately.