The National Telecommunication and Information Security Board (NTISB) has issued an advisory to the public and the banking sector amid a surge in financial and banking scams using phishing and vishing techniques. The Board has admitted that there is no technical solution that can eradicate and detect social engineering, which is the main tactic used by malicious actors to deceive and defraud unsuspecting victims.
How scammers exploit bank accounts
According to the advisory, financial scammers make use of several attack vectors to exploit victims’ bank accounts. These include:
- Anonymity: The attackers use secure and anonymous cyber means to conduct the operation, making it difficult to trace them back.
- Social engineering: Malicious actors masquerade phone numbers or call from unknown mobile phone or compromised WhatsApp number and pretend to be bank employees or managers. They ask for personally identifiable information (PII) such as internet banking username, CNIC number, debit card number and PIN. They also ask the user to forward the one-time password (OTP) from the bank or click on a WhatsApp link. With this information, they can easily compromise any bank account and transfer money or shop online.
- Malicious applications: The victim receives an SMS containing a link to a phishing website that looks similar to the banking website or the Income Tax Department. The user is asked to enter personal information, download and install a malicious APK file to complete the verification process. This malicious app impersonates the Income Tax Department or the internet banking app.
- After installation, the app requires the user to grant permissions such as SMS, call logs, contacts, etc. Most of these apps also drop keylogger malware on the victim’s device. The acquired data include full name, username, address, date of birth, mobile number, email address and financial details such as account number, debit card number and PIN.
How to prevent and protect from such attacks
The NTISB has recommended several measures to avoid such attacks. These include:
- Scammers are equipped with latest technology for masking official numbers of banks, so users are advised to remain vigilant and call the banking helpline themselves to verify any suspicious call.
- Never provide sensitive information over phone to anyone, especially passwords, CNIC number and debit card or credit card PIN as banks do not ask for such information over phone except when the user calls them for activation of debit card or internet banking account.
- Do not click on any link or download any app from unknown sources. Always verify the authenticity of the website or app before entering any personal or financial information.
- Use strong passwords and change them regularly. Do not use the same password for multiple accounts or devices.
- Enable two-factor authentication (2FA) for your online accounts whenever possible. This adds an extra layer of security by requiring a code sent to your phone or email along with your password.
- Monitor your bank statements and transactions regularly and report any suspicious activity to your bank immediately.
- Be aware of the common signs of phishing and vishing such as poor grammar, spelling errors, urgent tone, generic salutations, mismatched sender name and email address, etc.
The NTISB has also urged the public and the banking sector to arrange cyber awareness campaigns regarding financial scams at different forums. The Board has said that safe usage of mobile devices and computers and compliance with security guidelines is the only way forward.
