Attempts to defraud customers via digital means, and methods of protection
- The technological revolution is changing many aspects of life, including how customers utilize banking services, and makes it possible to access a considerable portion of the services via digital banking channels conveniently, at any time, without arriving at the branch, via computer and mobile phone, and at lower cost to the customer. This development poses risks as well. The banking system has invested considerable resources in mitigating these risks, however, it is important that the public is alert as well and manages the risks.
- In recent weeks, several attempts to defraud bank customers through technological means occurred. The total financial damage of the fraud is minimal, and customers did not suffer financial losses.
- Against this background, we find it proper to warn banks' customers and clarify the recommendations regarding dealing with fraud attempts of this type, in order to enhance customers’ awareness and attention, and to reduce the chances of successful fraud attempts. This is in addition to the risk mitigation activities that the banks carry out continuously.
- Customers should raise their awareness particularly when receiving an email or SMS in which they are asked to enter credentials, account details, or a credit card number.
In the last half year, we have seen an increase in attempts at fraud via phishing, aimed at banking system customers with the intent to steal funds from their accounts. The fraudster (attacker) tries in the first stage to steal the customer’s credentials, used for entering the customer’s account through the bank’s website or payment companies’ sites, and generally other personal details as well, such as the customer’s credit card number. Using these details, the attacker attempts to transfer funds from the customer’s account to another account, from which the attacker can withdraw the funds, and/or carry out transactions at businesses.
In recent weeks, there have been attempts to steal personal details of customers by impersonating PayPal, which is used for, among other things, executing payments for Internet purchases in Israel and worldwide.
The attacker’s mode of operation includes sending an email in English or Hebrew to a large number of private individuals, hoping that some of them will think it is a legitimate email from PayPal and will provide the details enabling the attacker to carry out the fraud. The email “explains” to customers that for their own good, they are to enter their personal details, as there is concern that a foreign entity used their credit card. Customers are requested to open an attachment, which brings them to a site that visually impersonates the company’s website, and they are asked to provide details including the identification code and password for the bank’s website, the account number, the customer’s PayPal password, Israeli ID number, first and last name, home address, date of birth, mother’s maiden name, telephone number, credit card number and expiration date, and the last three digits on the back of the card.
In these fraud attempts, the attackers succeeded in causing the banks a minimal amount of financial damage of several tens of thousands of shekels, and no damage was caused to customers. In the current incident, the banks examined each request on an individual basis and decided whether or not to credit the customer in accordance with circumstances.
Alongside the defensive and security actions taken by the banks on a regular basis, the Banking Supervision Department finds is proper to notify banks' customers of the recent fraud attempts and to clarify the recommendations regarding dealing with such fraud attempts, in order to increase customers’ awareness and attention, and to reduce the chances of such fraud succeeding.
Several recommendations on how customers can reduce risks and identify phishing attempts:
1. Do not in any case provide means of identification or other personal details, even if the reasons seem convincing (such as the need to update customer details in the system in order to improve service or to upgrade security measures for the customer’s benefit). The bank or companies such as PayPal will never ask the customer via email to enter such details. A request to update details occurs only after a customer identification process, for example, via the bank's or the company's website.
2. Verify that the sender’s address is familiar to the customer (for example, a company to which the customer subscribes) and ensure that the address is precise (for example, that the PayPal address is written correctly and without even a tiny mistake such as an extra or missing letter).
3. Check the content of the notification. Is it general? (For example, being addressed to “Dear customer” without the customer’s details should raise suspicion.) Is it in Hebrew in the case of a bank in Israel or a domestic company? Is the wording correct and appropriate without linguistic or grammatical errors? An email with incorrect wording or written in a language other than that in which the organization or service tends to contact customers, should be treated with suspicion.
4. Check the address of an unknown link, to the extent possible, to verify that the customer recognizes it and that it is written correctly. A link received by email can also be checked by holding the cursor over the link and viewing the destination address.
5. Pay attention as well to SMS or WhatsApp messages received on a mobile phone with a link to sites, and of course to suspicious email, SMS, or WhatsApp messages supposedly sent by a bank or credit card company.
6. It is suggested to install protection software on PCs and mobile phones and to keep up with operating system updates.
The development of digital banking, like the digital developments in many areas of life, incorporates considerable value for the public, and thus the Banking Supervision Department encourages bank customers to increase the use of direct channels. Nevertheless, the digital revolution also creates risks to privacy and information security. Therefore, alongside banking corporations’ continued investment in managing the risks inherent in the use of digital banking, customers should increase their alertness with regard to email, SMS, or WhatsApp messages and to hold off on responding until their validity is confirmed.
If a customer has any doubt—then there is no doubt at all, and it is better not to respond to the notice or to click on the link before checking with the relevant bank or company.