Digital attacks continue to pose challenges to the payments ecosystem. The proliferation of payment platforms / channels and the growing list of Internet of Things (IoT) devices provide fraudsters with an easily available and rapidly increasing range of targets. Two-factor authentication protocols requiring either email or text authentication for login have increased the criminal’s need for diversion or interception of messages.
How does a digital attack work?
- A fraudster gains access to an individual’s email account and trolls for banking information.
- The fraudster accesses the target’s online banking site and initiates a password change.
- The bank sends a one-time passcode (OTP) to the email account as part of the two-factor authentication protocol.
- The fraudster uses the OTP to complete a password change, enabling access to the individual’s bank account
Phishing, Vishing and Smishing
Phishing is the fraudulent attempt to obtain sensitive information or data such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Vishing uses phone calls and smishing campaigns use text or SMS messages to achieve the same end. Email, phone calls, social media and text messages are all solicitation methods by which criminals persuade individuals to divulge sensitive personal information.
Digital campaigns targeting public anxiety
The global health crisis has opened up new opportunities and avenues for fraudsters to take advantage of individuals by leveraging public anxiety. In April of 2020, Microsoft intercepted and stopped a phishing campaign appearing to offer information related to the United States government’s COVID-19 stimulus programs. The campaign generated approximately 2,300 unique HTML attachments over the course of a single day. In the same month, the UK’s National Fraud Intelligence Bureau (NFIB) unearthed another phishing campaign directing consumers to a fraudulent site to make donations in support of the UK’s National Health Service. A third campaign uncovered in Germany was more successful, diverting up to €100 million in stimulus funds into accounts controlled by fraudsters. That phishing campaign pointed consumers toward registration at a fraudulent replica of the official government stimulus registration website. Applicants who registered had their personal information stolen. Fraudsters used the harvested information to register at the legitimate government site but modified the registration information to include alternative banking information, directing stimulus funds to be wired into bank accounts controlled by the fraudsters.
Digital campaigns targeting corporations
“Spear phishing” campaigns target employees of companies with access to sensitive or valuable information and can lead to business email compromise. This type of opportunistic fraud often involves criminals impersonating high-level executives distributing instructions to subordinates. These types of scams can include instructions for payments to known suppliers or transfers of funds to bank accounts controlled by fraudsters. Business email compromises involving individuals in the human resources function of an enterprise can serve as the first step for more damaging attacks when the hacked account is used to send batch requests to employees for PII. Hacked email accounts of company CEOs and presidents have resulted in the theft of employee W-2 and tax information including names, addresses, and Social Security numbers.
What you need to do:
- Educate clients and employees on maintaining device and software security, with emphasis on Phishing, Smishing and Vishing campaigns.
- Do not click on hyperlinks found in emails or text messages from unknown or suspicious sources.
- Always keep a lookout for email addresses that do not match or reflect the name of the organisation or institution, and check for spelling or grammar errors as well as altered logos or images.
- When in doubt about a phone call, SMS text or email received, contact the financial institution directly by calling back using the number on the back of the card or their website, and encourage customers (where applicable) to do the same.