Dubai: A national bank in the UAE is urging customers to be cautious and not to give out sensitive information to avoid becoming victims of cyberattacks such as vishing, phishing and SMiShing.
In the email warning, the bank told its clients not to fall prey to fraudsters deceitfully trying to get sensitive information from them to gain access to their bank accounts.
The bank specified the SIM swap fraud where scammers are able to get a SIM copy of a person’s registered mobile number where bank authentication codes are sent.
Nicolai Solling, chief technology officer at Help AG, said the email may be a routine one but the bank’s proactive move is necessary as more and more identity theft cases are reported each year.
“SMS here in the UAE is largely used for out-of-band authentication mechanism for financial transactions. We all get these one-time pin codes (OTPs) for important transactions,” Solling told Gulf News.
A UAE-based hypermarket chain nearly lost Dh850,000 to fraudsters who obtained a duplicate of the managing director’s SIM card in 2016 to complete a bank transfer using the OTP that would be sent to the SIM.
Lucky for the company, a bank executive busted the fraudulent act before the transfer was completed.
Attacks like this expose how vulnerable SMS is as an out-of-band authentication, Solling said.
“By the security industry standard, SMS has been considered insecure for many many years. SMSes are not encrypted. Also, many malware on mobile devices today are focusing specifically on getting access to people’s messages,” Solling said.
“Maybe sending out SMSes is not the right method anymore because attackers change methods constantly,” he said.
Cyberattacks are rife everywhere, especially in events where people are more likely to give out their information in exchange of something. For example, in the recent Fifa World Cup, Russian President Vladimir Putin said there were 25 million cyberattacks that targeted the World Cup this year.
Campaigns began as early as weeks before the tournament, said Mohammad Abu Khater, vice-president, Middle East and Africa, FireEye.
“These campaigns use several levers such as low-cost ticket offers, the chance to win a trip to Russia, promotions for items related to the World Cup (national team jerseys, mugs featuring players etc). In order to increase their credibility, attackers mostly buy domains that resonate with the World Cup event, so victims can receive spam or phishing emails,” Abu Khater said.
“The main goal in this type of attacks is to recover your banking information and force you to go through with the transaction to get the card number information, expiration date and also CVV (Card Verification Value).”
Dubai Police in June announced they arrested 33 suspects who did just the same and duped victims to divulge confidential bank details after telling them that they won in lotteries or draws that turned out to be fake.
Solling said customers are not the only ones responsible for their protection. Organisations should also think of ways to protect their business from potentially being abused by attackers.
Some banks have introduced multi-factor authentication based on smartphone apps that use smart PINs or smart passes that users should take advantage of.
“Any user of IT today needs to be extremely paranoid. One of the things that I tell myself is if it’s too good to be true, it probably isn’t.”
Common attacks
Phishing: A way to obtain personal information using deceptive e-mails and websites.
Vishing: This is the telephone equivalent of phishing where a person uses the phone to acquire information from a victim.
SMiShing: Another form of phishing where someone tricks a victim to reveal confidential information via text or SMS.
SIM swap fraud
Once attackers have your personal details and registered mobile number, they can use fake identity to obtain a SIM card.
If the attacker succeeds in getting one, your SIM will be deactivated for no reason.
How to protect yourself
If your mobile number gets deactivated for no reason, check with your telecom operator immediately.
Register for SMS and email alerts to know your transactions on your bank account. Also, take advantage of banks’ new and secure ways of banking such as using smart PINs or smart passes.
Do not respond to calls or texts asking for your sensitive information. Bank officials will never ask for your confidential details over the phone.
Never reveal answers to your “security questions” to anyone, even in casual conversations. Don’t put your birthdays, year of graduation, favourite colours etc for people to know.
Report all types of cybercrimes to police by visiting www.ecrime.ae
