Cybercriminals are increasingly using voice phishing – or vishing – to extract money
from victims’ bank accounts. Gordon Holmes explains what you can do to combat it
QUESTION TIME
Fraudsters then lead the
customer through some made-up
security questions, and ask for
details of the last three legitimate
transactions. The customer is
told that all cards associated with
the account will be replaced, and
that online accounts will need to
be reset. The fraudster then tells
the customer that one-time
passwords will be sent by text
and that they’ll call back to test if
these passwords are working.
The customer is asked for
their online login details (I’m sad
to report that these have often
been surrendered), and as the
phone call continues the
fraudster logs into the customer
account, and new beneficiary
accounts belonging to criminal
money mules are created.
The creation of these new
accounts leads to one-time
passwords being sent by text to
the registered phone as part of
the two-factor authentication
system employed by the bank,
but as the customer has been
primed to expect such a text,
there’s no suspicion that the
account has been compromised.
The fraudster then calls the
customer back and asks them to
read out the one-time password
that has been sent by text. This
password is used by the bad guys
to authenticate the new
beneficiary and money is stolen
from the account.
CALL BACK
This method of theft is enjoying
a large amount of success, but it
can be defeated as long as you’re
thinking straight. If you receive a
call from someone claiming to be
from your bank, get their name,
phone number and department
and then put the phone down.
Next, call your bank from a
different telephone and check
the information the original caller
gave you. You should call from a
different phone as there have
been instances where fraudsters
have stayed on the line, only to
answer, once the victim has
finished dialling, with the name
of their bank.
Two-factor authentication can
be an effective security control,
but not if you deliver the
password into the hands of the
bad guys. I’m not going to labour
the point, but never give any
details to anyone over the phone.
This might sound like obvious
advice, but the authenticsounding
script the fraudsters
use can be surprisingly effective.
So where are the bad guys
getting all this juicy information,
such as your phone number and
the bank you use? It’s more than
likely it’s from a compromised
and malware-infected computer,
so run your regular scans and
download the security software
that many banks supply.
You’re less likely to run into
problems reclaiming your stolen
cash if you have a bank’s security
software installed, and can
always say that you took all
reasonable steps to prevent a
computer compromise.
Many banks can tell if your
machine is infected with malware
as soon as you connect to their
internet banking services, thanks
to some pretty sophisticated
fraud engines sitting in the online
banking infrastructure. The
question is, should the banks let
you know if you are using a
compromised machine?
I would argue that yes, they
should. In my view the banks
have a duty of care to their
customers and, let’s face it, if
they know your machine is
compromised with malicious
software and merely place you
on a hotlist that subjects all your
transactions to greater scrutiny,
this still leaves you open to a
multitude of other potential
criminal actions.
GORDON HOLMES
With more than 30 years of
experience in law enforcement,
our retired cop gives a police
officer’s perspective on the
sticky subject of cybercrime
letters@computershopper.co.uk
Source:Computer Shopper (May,2015)