Australian federal police are investigating a new and intricate cyber scam that operates a fake bank call centre. It dupes customers into handing over their personal account details by intercepting their calls, and diverting them to automated computer voices.
So says Costin Raiu, chief security expert for Kaspersky Lab EEMEA, who says this is linked to a phishing campaign that mimics genuine messages from the bank.
“According to our information, this is the first time the cyber criminals are using such advanced social engineering coupled with phone call interception and redirection to scam the public,” says Raiu. He stresses that although Australia is currently the only place where victims have been reported and where police are actively investigating it, cyber criminals are quick to adopt successful methods of attack, meaning it may soon become popular in other countries as well.
“Due to the enormous growth in cyber crime and attacks targeting online banking users, the banks have taken various steps to secure their electronic systems and to protect the users from software threats,” he explains. “As it usually happens in such cases, the cyber criminals are changing their tactics to other methods, testing them to find the most successful ones.”
If this type of attack is successful, which Raiu says according to reports it has been, then consumers can expect it to become a popular method of attack that will spread to other countries. “Because of this, it is important for people to be aware of the risks and for banks to inform their customers about the dangers of targeted social engineering attacks.”
In order for consumers to protect themselves, Raiu says it is important to understand that no bank is going to call and ask for private information which they already have. “Banks are generally aware of the recent developments in social engineering attacks and do not write or call to ask for private information.”
He says unfortunately, there have been cases when the banks will call and ask for some basic information to confirm your identity, such as birthday or a secret keyword you have set when you have signed up for their service.
Raiu calls this a bad practice and says it is important to let them understand that the authentication must be both ways. “For instance, consumers should ask the bank how they can be sure this is a genuine call from the bank?”
If the bank is unable to demonstrate this, Raiu says consumers should politely explain it is maybe better to have a meeting in person.
“Under no circumstance give somebody over the phone information such your credit card number, your online banking username and password or anything else related to your banking account, such as SWIFT numbers or private information which can be used to steal your identity,” concludes Raiu. “By following these simple recommendations, users can protect themselves from such attacks.”
Related stories:
More e-banking protection needed
Conficker not over yet
Smartphone malware takes off
Share