Banks are a comfortable, relatively secure way to save money. In fact, they seem so reliable that some people trust them with all their fortune. After all, it’s easier to manage your finances if everything is in one place, right? Reevaluate.
It’s okay to rely on one source as long as you control what happens to that stream. Imagine how stressful it has to be relying on a single place to store your money. Plus, who can feel safe with such powerful organizations? One world event or tiny personal occurance may be enough to put your savings at risk. Bank phishing attacks are one of them.
The problem is, banks rely heavily on data. Once a scammer steals your identity and credentials, there’s often little you can do to undo the losses. So how can you protect yourself?
Bank Phishing Explained
Banks are the favorite target for two reasons: it’s data-driven, and many people use them. Although they aren’t easy to hack, the rewards are big enough to motivate cybercrooks to work.
And they don’t need fancy techniques to get a big prize. They only need to disguise, so you give them your credentials without even realizing it.
For the victim, nothing seems suspicious. One day, you get an urgent notice from your bank. You click the link inside the message, log in, and proceed with “solving the reason” of this urgent notice. What you don’t see is that you logged in to a fake website that has just stolen your data.
Most realize it once it’s too late. After you enter your password, the page may either close or redirect you to the real website. If they enter your account, you might never know how it happened!
Scammers aren’t necessarily hackers. They may just be relatively low skilled programmers who create website imitations to trick you and take the money out of your bank account. Even if they fail, they can still sell your information to other con artists on the dark web.
Now, appearances aren’t real. Once you dig in a little bit, you can get through the superficial look and find out the truth. We’ll share tips for the many variations of bank phishing so that you can prevent it. But remember, ease of prevention depends on how much the scammer is willing to work. A motivated con man will find ways to get past the security layers.
You don’t need to be infallible. Just don’t be an easy target.
Types Of Bank Phishing
Have you ever reveiced a “bank message” for no apparent reason? Perhaps you visited the official site, but your account wasn’t registered. Or a bank employee called you for some urgent issue going on.
Scammers use multiple ways to get over the email limitations — such as bounce-backs, spam filters, and email reputation. These protection layers can make the scammers job much harder.
These days, people use different messaging platforms, email, and social media to communicate. Right this second, they may be using any of the following communication methods.
Everybody knows what it feels like being flooded with junk emails. But SMSs are a different story. These short messages are not being classified and filtered for spam in the same way this is done with emails.
SMSs are a traditional phishing tactic and they work for three reasons:
- Unlike email, an SMS has a higher open and link-click-rate.
- It’s easier to deceive victims. Emails include references, links and information about the message. In SMS, all you see is the message.
- When one impersonates the bank, people will trust text messages over email. And it’s harder to discover a fake link on mobile without clicking it.
It’s not surprising why phishing was so dangerous in the past. Eventually, banks had to message all the users to warn them about the scam and report it.
Phishing phone calls can be trickier than text messages. Unlike email, here you cannot pay as much attention to details. You are more focused on the conversation than the scheme they are using.
Before the call, the fraudster can visit your social media profile and mention some data to gain your trust.
X Contact told me to contact you for X issue you were having...
Once they get your trust, scammers use a well-thought script to answer your questions and request your credentials. After they get what they want, they tell you to wait for their future call. They rip you off.
Cold calls are naturally intrusive. But because they impersonate the bank, many people fall into this trick.
As the online community becomes more aware, email scams have become less effective. The generic phishing email no longer works today as it used to. In addition to raised awarness, many people never rea half of the messages they get anyway!
That’s why con men are improving their strategy. Instead of increasing their reach, they try to improve conversions.
Here’s a basic marketing principle: customization drives sales (scam victims). There’s no point in spamming emails if nobody opens them.
Today, scammers visit your social media profile to mine data and adapt the message to you. Just by adding a person’s name on the body already boosts open-rates. Especially if the email is from “your bank.” Spear phishing aims for lead quality over quantity.
Another variation is polarization. The scammer states accurate information that may be right for, say, 20% of users, while it’s wrong for others. The other 80% will ignore the letter, but the other 20% will trust the sender.
It’s not hard to clone a site if you have some basic coding skills. All you need to do is buy a domain, download the site HTML code, change a few lines here and there and connect it to a database that will store your credentials if you type them in.
It can be done within a few hours. The scammer sends you an email with a link to their phishing platform, which is disguised as the official bank site. After you enter your credentials, the clone may redirect you to the real login page, where you are again asked to enter your credentials. You are thinking that it just “did not get through” the first time and simply enter it again without noticing that your information was already stolen.
Fake Bank Website Phishing Example
For your better understanding of bank phishing we are going to look at exactly how it’s done. While this example pictures phishing for personal bank credentials, phishing is not limited to banks.
Very similar instances of phishing are used to obtain sensitive information on popular shopping websites, online payment systems, membership websites, trading platforms, universities… basically anywhere a login and password is needed. The following is a phishing email and we are going to look how you can recognize it as such.
What you will always see with these types of phishing emails is an email title that will make you want to click on the link. Scammers are clever and know how to lure you in with powerful words and obtain your passwords. In our example the title is “Your Online Banking Profile had been Suspended” which will make you want to click immediately on the links because you fear something has happened.
Notice as well how the email appears to be from Royal Bank of Scotland (https://personal.rbs.co.uk). Everything is there. The images, copyright, security guarantee…but when you hover over the link, you will see in the status bar where the link is actually pointing! It is pointing to a completely different domain, which is a duplicate of the real Scotland bank login form (http://www.sailtitusville.com/administrator/components/Logon.html).
- DO NOT CLICK ON ANY LINKS IN YOUR eMAIL.
The links are pointing to a fake duplicate website which will gather all your sensitive information. Your account will be stolen and you may find it empty in the next few minutes. For the purpose of this article we went ahead and clicked the links so you can clearly see what will happen. We have of course never have used any real information.
If you clicked on this link you were transfered to a page such as the one above, which is a replica of the original below. The scammers have actually done a very poor replication that only is somehow identical to the real page. It could be replicated 100% and the only way you could differentiate these two is by looking at your browsers address bar!
If we fell prey to this phishing email, our login details would be stored in the scammers database and he would easily empty our account.
How Do You Prevent Bank Phishing?
Most scammers prefer online phishing because there are more tools to play with. Thieves can also steal some of your personal informaion on an ATM machine. The least you can do is that you need to be aware of the scam in order to help yourself avoid it.
Unmask the scammer
Imagine we have a clone of a Bank like in the example above. How can we differentiate them?
Always if you get an email from a bank or a similar website saying your account is restricted or banned, or if it says you have won something or have funds waiting…NEVER CLICK on any links in the email. Instead manually type the address of your website into your browser and check it from there.
Legit emails never ask you to pass your credentials. First type in your bank web address manually, then contact their support and ask them questions to explain the situation.
Click On Other Tabs
If you already clicked on a link in the email or SMS and you suspect you are on a fake website, click around without enterting any personal information. In phishing websites, most functions are unusable except for the login page.
Take the suspicious clone and open the real site on a new tab. If the page isn’t working, you will notice. You could try to use the support section of the website to further confirm your suspicions (cloned websites probably won’t have these).
However, the best advice is not to proceed with clicking on anything on a fake website. Just close it and type the url of your bank in your address bar directly.
Use Strong Passwords
Based on the traditional advice – which is still valid – a strong password:
- …has at least 10 characters: you must choose a password that is long enough. There is no minimum length that everyone agrees on, but you should generally choose passwords that are at least 10 characters long. A longer password would be even better.
- …contains numbers, symbols, lower and upper case letters: Use a mixture of different types of characters to make the password harder to crack.
- …is not a dictionary word or a combination of dictionary words: Stay away from obvious dictionary words and combinations of dictionary words. Each word by itself is bad. Any combination of a few words, especially if they are obvious, is also bad. For example, “house” is a terrible password, “red house” is also very bad.
- …does not rely on obvious substitutions: Don’t use ordinary substitutions either – for example, “H0use” is not strong just because you replaced an o with a 0. This is simply obvious.
With the plethora of sites you are likely to have accounts for, there is simply no way to easily remember every single password without duplicating passwords or resorting to some sort of pattern. This is where a password manager comes in – as long as you create a strong master password that you can remember, it’s the last password you’ll need to worry about.
Use Two-factor authentication
Two-Factor Authentication (2FA) is the most effective way to defend against phishing attacks by adding an additional verification layer when logging on to sensitive applications.
Two-Factor Authentication relies on two layers of security. The first layer is usually normal authentication with a password and username. As we know now these two could be stolen rather easily.
This is where the second layer of authentication comes in handy. To confirm your login with this second layer enabled, you will usually be asked to enter an additional password or PIN that was sent to either your smart phone or another device.
Test The Phishing Website
The website isitphishing.ai is the largest publicly accessible database of fake phishing websites. You can enter your suspicious website in their search bar and it will reveal whether it is a phishing website. Keep in mind though that you could receive a personal phishing attack or a new attack that is not yet in their database!
users having two things: something they know, such as a password and username, and something they have, such as their smartphones. Even if employees are compromised, 2FA will prevent the use of their compromised credentials, as these alone are not sufficient to gain access.
The Bottom Line
Phishing scammers use simple techniques to deceive bank users and steal their accounts. When done well, they can take millions of dollars within a few hours with relatively little risk.
Then, how do you prevent these situations?
Do you need to be smarter than them? Unfortunately, thieves are using subtler techniques to disguise. If con men want your money, they will do everything in their power to do it. The really good ones could break many bank security measures.
Thankfully, you don’t need to outsmart the scammer to stay safe. It’s all about risk and rewards: they look for the easiest victim or the biggest target.
Increase their risks. Add as much protection as you can to make hackers work hard to get through. A good downside is more than enough to stop most phishing attempts.
Next, reduce the reward. Instead of saving everything in one account, create multiple. Split your savings into three, five, ten assets so they cannot take control easily.
Each security layer will reduce your phishing risk exponentially. It’s not about having an infallible system. The question is, is it worth playing with you?